Revert "Bug 17902: Fix possible SQL injection in serials editing"

[koha.git] / C4 / Acquisition.pm

diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm
index 355c914..c113c16 100644 (file)
--- a/C4/Acquisition.pm
+++ b/C4/Acquisition.pm
@@ -29,7 +29,7 @@ use C4::Debug;
 use C4::Templates qw(gettemplate);
 use Koha::DateUtils qw( dt_from_string output_pref );
 use Koha::Acquisition::Order;
-use Koha::Acquisition::Bookseller;
+use Koha::Acquisition::Booksellers;
 use Koha::Number::Price;
 use Koha::Libraries;
 
@@ -351,13 +351,13 @@ sub GetBasketGroupAsCSV {
         my $contract   = GetContract({
             contractnumber => $basket->{contractnumber}
         });
-        my $bookseller = Koha::Acquisition::Bookseller->fetch({ id => $basket->{booksellerid} });
+        my $bookseller = Koha::Acquisition::Booksellers->find( $basket->{booksellerid} );
         my $basketgroup = GetBasketgroup( $$basket{basketgroupid} );
 
         foreach my $order (@orders) {
             my $bd = GetBiblioData( $order->{'biblionumber'} );
             my $row = {
-                clientnumber => $bookseller->{accountnumber},
+                clientnumber => $bookseller->accountnumber,
                 basketname => $basket->{basketname},
                 ordernumber => $order->{ordernumber},
                 author => $bd->{author},
@@ -369,14 +369,14 @@ sub GetBasketGroupAsCSV {
                 quantity => $order->{quantity},
                 rrp_tax_included => $order->{rrp_tax_included},
                 rrp_tax_excluded => $order->{rrp_tax_excluded},
-                discount => $bookseller->{discount},
+                discount => $bookseller->discount,
                 ecost_tax_included => $order->{ecost_tax_included},
                 ecost_tax_excluded => $order->{ecost_tax_excluded},
                 notes => $order->{order_vendornote},
                 entrydate => $order->{entrydate},
-                booksellername => $bookseller->{name},
-                bookselleraddress => $bookseller->{address1},
-                booksellerpostal => $bookseller->{postal},
+                booksellername => $bookseller->name,
+                bookselleraddress => $bookseller->address1,
+                booksellerpostal => $bookseller->postal,
                 contractnumber => $contract->{contractnumber},
                 contractname => $contract->{contractname},
             };
@@ -1380,8 +1380,14 @@ sub ModReceiveOrder {
                         );
     }
 
+    my $result_set = $dbh->selectrow_arrayref(
+            q{SELECT aqbasket.is_standing
+            FROM aqbasket
+            WHERE basketno=?},{ Slice => {} }, $order->{basketno});
+    my $is_standing = $result_set->[0];  # we assume we have a unique basket
+
     my $new_ordernumber = $order->{ordernumber};
-    if ( $order->{quantity} > $quantrec ) {
+    if ( $is_standing || $order->{quantity} > $quantrec ) {
         # Split order line in two parts: the first is the original order line
         # without received items (the quantity is decreased),
         # the second part is a new order line with quantity=quantityrec
@@ -1395,7 +1401,7 @@ sub ModReceiveOrder {
         my $sth = $dbh->prepare($query);
 
         $sth->execute(
-            $order->{quantity} - $quantrec,
+            ( $is_standing ? 1 : ($order->{quantity} - $quantrec) ),
             ( defined $order->{order_internalnote} ? $order->{order_internalnote} : () ),
             $order->{ordernumber}
         );
@@ -1403,7 +1409,9 @@ sub ModReceiveOrder {
         # Recalculate tax_value
         $dbh->do(q|
             UPDATE aqorders
-            SET tax_value = quantity * ecost_tax_excluded * tax_rate
+            SET
+                tax_value_on_ordering = quantity * ecost_tax_excluded * tax_rate_on_ordering,
+                tax_value_on_receiving = quantity * unitprice_tax_excluded * tax_rate_on_receiving
             WHERE ordernumber = ?
         |, undef, $order->{ordernumber});
 
@@ -1411,7 +1419,12 @@ sub ModReceiveOrder {
         $order->{budget_id} = ( $budget_id || $order->{budget_id} );
         $order->{quantity} = $quantrec;
         $order->{quantityreceived} = $quantrec;
-        $order->{tax_value} = $order->{quantity} * $order->{unitprice_tax_excluded} * $order->{tax_rate};
+        $order->{ecost_tax_excluded} //= 0;
+        $order->{tax_rate_on_ordering} //= 0;
+        $order->{unitprice_tax_excluded} //= 0;
+        $order->{tax_rate_on_receiving} //= 0;
+        $order->{tax_value_on_ordering} = $order->{quantity} * $order->{ecost_tax_excluded} * $order->{tax_rate_on_ordering};
+        $order->{tax_value_on_receiving} = $order->{quantity} * $order->{unitprice_tax_excluded} * $order->{tax_rate_on_receiving};
         $order->{datereceived} = $datereceived;
         $order->{invoiceid} = $invoice->{invoiceid};
         $order->{orderstatus} = 'complete';
@@ -1437,12 +1450,12 @@ sub ModReceiveOrder {
         | if defined $order->{unitprice};
 
         $query .= q|
-            , rrp = ?, rrp_tax_included = ?, rrp_tax_excluded = ?
-        | if defined $order->{rrp};
+            ,tax_value_on_receiving = ?
+        | if defined $order->{tax_value_on_receiving};
 
         $query .= q|
-            , ecost = ?, ecost_tax_included = ?, ecost_tax_excluded = ?
-        | if defined $order->{ecost};
+            ,tax_rate_on_receiving = ?
+        | if defined $order->{tax_rate_on_receiving};
 
         $query .= q|
             , order_internalnote = ?
@@ -1451,17 +1464,20 @@ sub ModReceiveOrder {
         $query .= q| where biblionumber=? and ordernumber=?|;
 
         my $sth = $dbh->prepare( $query );
-        my @params = ( $quantrec, $datereceived, $invoice->{invoiceid}, $budget_id );
+        my @params = ( $quantrec, $datereceived, $invoice->{invoiceid}, ( $budget_id ? $budget_id : $order->{budget_id} ) );
 
         if ( defined $order->{unitprice} ) {
             push @params, $order->{unitprice}, $order->{unitprice_tax_included}, $order->{unitprice_tax_excluded};
         }
-        if ( defined $order->{rrp} ) {
-            push @params, $order->{rrp}, $order->{rrp_tax_included}, $order->{rrp_tax_excluded};
+
+        if ( defined $order->{tax_value_on_receiving} ) {
+            push @params, $order->{tax_value_on_receiving};
         }
-        if ( defined $order->{ecost} ) {
-            push @params, $order->{ecost}, $order->{ecost_tax_included}, $order->{ecost_tax_excluded};
+
+        if ( defined $order->{tax_rate_on_receiving} ) {
+            push @params, $order->{tax_rate_on_receiving};
         }
+
         if ( defined $order->{order_internalnote} ) {
             push @params, $order->{order_internalnote};
         }
@@ -1568,7 +1584,9 @@ sub CancelReceipt {
         # Recalculate tax_value
         $dbh->do(q|
             UPDATE aqorders
-            SET tax_value = quantity * ecost_tax_excluded * tax_rate
+            SET
+                tax_value_on_ordering = quantity * ecost_tax_excluded * tax_rate_on_ordering,
+                tax_value_on_receiving = quantity * unitprice_tax_excluded * tax_rate_on_receiving
             WHERE ordernumber = ?
         |, undef, $parent_ordernumber);
 
@@ -2850,7 +2868,7 @@ sub populate_order_with_prices {
     my $booksellerid = $params->{booksellerid};
     return unless $booksellerid;
 
-    my $bookseller = Koha::Acquisition::Bookseller->fetch({ id => $booksellerid });
+    my $bookseller = Koha::Acquisition::Booksellers->find( $booksellerid );
 
     my $receiving = $params->{receiving};
     my $ordering  = $params->{ordering};
@@ -2858,12 +2876,13 @@ sub populate_order_with_prices {
     $discount /= 100 if $discount > 1;
 
     if ($ordering) {
-        if ( $bookseller->{listincgst} ) {
+        $order->{tax_rate_on_ordering} //= $order->{tax_rate};
+        if ( $bookseller->listincgst ) {
             # The user entered the rrp tax included
             $order->{rrp_tax_included} = $order->{rrp};
 
             # rrp tax excluded = rrp tax included / ( 1 + tax rate )
-            $order->{rrp_tax_excluded} = $order->{rrp_tax_included} / ( 1 + $order->{tax_rate} );
+            $order->{rrp_tax_excluded} = $order->{rrp_tax_included} / ( 1 + $order->{tax_rate_on_ordering} );
 
             # ecost tax excluded = rrp tax excluded * ( 1 - discount )
             $order->{ecost_tax_excluded} = $order->{rrp_tax_excluded} * ( 1 - $discount );
@@ -2876,7 +2895,7 @@ sub populate_order_with_prices {
             $order->{rrp_tax_excluded} = $order->{rrp};
 
             # rrp tax included = rrp tax excluded * ( 1 - tax rate )
-            $order->{rrp_tax_included} = $order->{rrp_tax_excluded} * ( 1 + $order->{tax_rate} );
+            $order->{rrp_tax_included} = $order->{rrp_tax_excluded} * ( 1 + $order->{tax_rate_on_ordering} );
 
             # ecost tax excluded = rrp tax excluded * ( 1 - discount )
             $order->{ecost_tax_excluded} = $order->{rrp_tax_excluded} * ( 1 - $discount );
@@ -2884,16 +2903,18 @@ sub populate_order_with_prices {
             # ecost tax included = rrp tax excluded * ( 1 - tax rate ) * ( 1 - discount )
             $order->{ecost_tax_included} =
                 $order->{rrp_tax_excluded} *
-                ( 1 + $order->{tax_rate} ) *
+                ( 1 + $order->{tax_rate_on_ordering} ) *
                 ( 1 - $discount );
         }
 
         # tax value = quantity * ecost tax excluded * tax rate
-        $order->{tax_value} = $order->{quantity} * $order->{ecost_tax_excluded} * $order->{tax_rate};
+        $order->{tax_value_on_ordering} =
+            $order->{quantity} * $order->{ecost_tax_excluded} * $order->{tax_rate_on_ordering};
     }
 
     if ($receiving) {
-        if ( $bookseller->{invoiceincgst} ) {
+        $order->{tax_rate_on_receiving} //= $order->{tax_rate};
+        if ( $bookseller->invoiceincgst ) {
             # Trick for unitprice. If the unit price rounded value is the same as the ecost rounded value
             # we need to keep the exact ecost value
             if ( Koha::Number::Price->new( $order->{unitprice} )->round == Koha::Number::Price->new( $order->{ecost_tax_included} )->round ) {
@@ -2904,7 +2925,7 @@ sub populate_order_with_prices {
             $order->{unitprice_tax_included} = $order->{unitprice};
 
             # unit price tax excluded = unit price tax included / ( 1 + tax rate )
-            $order->{unitprice_tax_excluded} = $order->{unitprice_tax_included} / ( 1 + $order->{tax_rate} );
+            $order->{unitprice_tax_excluded} = $order->{unitprice_tax_included} / ( 1 + $order->{tax_rate_on_receiving} );
         }
         else {
             # Trick for unitprice. If the unit price rounded value is the same as the ecost rounded value
@@ -2916,12 +2937,13 @@ sub populate_order_with_prices {
             # The user entered the unit price tax excluded
             $order->{unitprice_tax_excluded} = $order->{unitprice};
 
+
             # unit price tax included = unit price tax included * ( 1 + tax rate )
-            $order->{unitprice_tax_included} = $order->{unitprice_tax_excluded} * ( 1 + $order->{tax_rate} );
+            $order->{unitprice_tax_included} = $order->{unitprice_tax_excluded} * ( 1 + $order->{tax_rate_on_receiving} );
         }
 
         # tax value = quantity * unit price tax excluded * tax rate
-        $order->{tax_value} = $order->{quantity} * $order->{unitprice_tax_excluded} * $order->{tax_rate};
+        $order->{tax_value_on_receiving} = $order->{quantity} * $order->{unitprice_tax_excluded} * $order->{tax_rate_on_receiving};
     }
 
     return $order;