From 17f7f8930a9a17d79e87a36efdfc53c983917a2f Mon Sep 17 00:00:00 2001
From: Kyle M Hall <kyle@bywatersolutions.com>
Date: Tue, 30 Jan 2024 10:58:02 -0500
Subject: [PATCH 01/20] Bug 35942: OPAC user can enroll several times to the
 same club [23.05.x]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 opac/svc/club/enroll | 51 +++++++++++++++++++++++++++-----------------
 svc/club/enroll      | 18 ++++++++++------
 2 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/opac/svc/club/enroll b/opac/svc/club/enroll
index aff1d51fb9..249a2bdd09 100755
--- a/opac/svc/club/enroll
+++ b/opac/svc/club/enroll
@@ -30,8 +30,8 @@ use Koha::Clubs;
 
 my $cgi = CGI->new;
 
-my ( $auth_status ) =
-  check_cookie_auth( $cgi->cookie('CGISESSID') );
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID') );
 if ( $auth_status ne "ok" ) {
     exit 0;
 }
@@ -42,31 +42,42 @@ my $id = $cgi->param('id');
 
 my $enrollment;
 if ( $borrowernumber && $id ) {
+    my $already_enrolled = Koha::Club::Enrollments->search(
+        {
+            club_id        => $id,
+            borrowernumber => $borrowernumber,
+            date_canceled  => undef,
+        }
+    )->count();
+
     my $club = Koha::Clubs->find($id);
 
-    if ( $club->club_template()->is_enrollable_from_opac() ) {
-        $enrollment = Koha::Club::Enrollment->new()->set(
-            {
-                club_id        => $club->id(),
-                borrowernumber => $borrowernumber,
-                date_enrolled  => \'NOW()',
-                date_created   => \'NOW()',
-                branchcode     => C4::Context->userenv
-                ? C4::Context->userenv->{'branch'}
-                : undef,
-            }
-        )->store();
+    my $wrong_branch = $club->branchcode && C4::Context->userenv && C4::Context->userenv->{branch} ne $club->branchcode;
 
-        my @enrollment_fields = $club->club_template()->club_template_enrollment_fields->as_list;
+    unless ( $already_enrolled || $wrong_branch ) {
 
-        foreach my $e (@enrollment_fields) {
-            Koha::Club::Enrollment::Field->new()->set(
+        if ( $club->club_template()->is_enrollable_from_opac() ) {
+            $enrollment = Koha::Club::Enrollment->new(
                 {
-                    club_enrollment_id                => $enrollment->id(),
-                    club_template_enrollment_field_id => $e->id(),
-                    value                             => $cgi->param( $e->id() ),
+                    club_id        => $club->id(),
+                    borrowernumber => $borrowernumber,
+                    date_enrolled  => \'NOW()',
+                    date_created   => \'NOW()',
+                    branchcode     => C4::Context->userenv ? C4::Context->userenv->{branch} : undef,
                 }
             )->store();
+
+            my @enrollment_fields = $club->club_template()->club_template_enrollment_fields->as_list;
+
+            foreach my $e (@enrollment_fields) {
+                Koha::Club::Enrollment::Field->new()->set(
+                    {
+                        club_enrollment_id                => $enrollment->id(),
+                        club_template_enrollment_field_id => $e->id(),
+                        value                             => scalar $cgi->param( $e->id() ),
+                    }
+                )->store();
+            }
         }
     }
 }
diff --git a/svc/club/enroll b/svc/club/enroll
index 9c88c54717..87c6cddfdc 100755
--- a/svc/club/enroll
+++ b/svc/club/enroll
@@ -30,8 +30,8 @@ use Koha::Clubs;
 
 my $cgi = CGI->new;
 
-my ( $auth_status ) =
-  check_cookie_auth( $cgi->cookie('CGISESSID'), { clubs => 'enroll' } );
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { clubs => 'enroll' } );
 if ( $auth_status ne "ok" ) {
     exit 0;
 }
@@ -43,15 +43,21 @@ my $club = Koha::Clubs->find($id);
 
 my $enrollment;
 if ($club) {
+    my $already_enrolled = Koha::Club::Enrollments->search(
+        {
+            club_id        => $id,
+            borrowernumber => $borrowernumber,
+            date_canceled  => undef,
+        }
+    )->count();
+
     $enrollment = Koha::Club::Enrollment->new(
         {
             club_id        => $club->id(),
             borrowernumber => $borrowernumber,
-            date_enrolled  => \'NOW()',
-            date_created   => \'NOW()',
-            branchcode     => C4::Context->userenv ? C4::Context->userenv->{'branch'} : undef,
+            date_canceled  => undef,
         }
-    )->store();
+    )->store() unless $already_enrolled;
 
     if ($enrollment) {
         my @enrollment_fields = $club->club_template()->club_template_enrollment_fields->as_list;

From ae48106422e333ea89c16daa57e20bba11063fa1 Mon Sep 17 00:00:00 2001
From: Andreas Jonsson <andreas.jonsson@kreablo.se>
Date: Thu, 7 Mar 2024 09:07:49 +0000
Subject: [PATCH 02/20] Bug 36244: Unit test for tt syntax in parameters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3f8b7785cd703f89de140108eb9347bf33a0c764)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 285f3093ed594d961c5618ed2b110f86f5467f35)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 t/db_dependent/Letters.t | 47 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/t/db_dependent/Letters.t b/t/db_dependent/Letters.t
index 84f09a82f9..5115d4a895 100755
--- a/t/db_dependent/Letters.t
+++ b/t/db_dependent/Letters.t
@@ -18,7 +18,7 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
-use Test::More tests => 92;
+use Test::More tests => 93;
 use Test::MockModule;
 use Test::Warn;
 use Test::Exception;
@@ -1099,3 +1099,48 @@ subtest 'Test message_id parameter for SendQueuedMessages' => sub {
     is( $message_1->{status}, 'failed', 'Message 1 status is unchanged' );
     is( $message_2->{status}, 'sent', 'Valid from_address => status sent' );
 };
+
+subtest 'Template toolkit syntax in parameters' => sub {
+
+    my $borrowernumber = Koha::Patron->new(
+        {
+            firstname      => 'Robert',
+            surname        => '[% USE Categories %][% Categories.all().search_related("borrowers").count() %]',
+            categorycode   => $patron_category,
+            branchcode     => $library->{branchcode},
+            dateofbirth    => $date,
+            smsalertnumber => undef,
+        }
+    )->store->borrowernumber;
+
+    my $title   = q|<<branches.branchname>> - <<status>>|;
+    my $content = q{Dear <<borrowers.firstname>> <<borrowers.surname>>};
+
+    $dbh->do(
+        q|INSERT INTO letter(branchcode,module,code,name,is_html,title,content,message_transport_type) VALUES (?,'my module','tt test','my name',1,?,?,'email')|,
+        undef, $library->{branchcode}, $title, $content
+    );
+
+    my $tables = {
+        borrowers => $borrowernumber,
+        branches  => $library->{branchcode},
+        biblio    => $biblionumber,
+    };
+    my $substitute = {
+        status => 'overdue',
+    };
+    my $prepared_letter = GetPreparedLetter(
+        module      => 'my module',
+        branchcode  => $library->{branchcode},
+        letter_code => 'tt test',
+        tables      => $tables,
+        substitute  => $substitute,
+        repeat      => [],
+    );
+
+    is(
+        $prepared_letter->{content},
+        'Dear Robert [% USE Categories %][% Categories.all().search_related("borrowers").count() %]',
+        'Template toolkit syntax in parameter was not evaluated.'
+    );
+};

From dfcdc322e978910fa165e1d3d1be2742c6198b02 Mon Sep 17 00:00:00 2001
From: Andreas Jonsson <andreas.jonsson@kreablo.se>
Date: Thu, 7 Mar 2024 09:12:25 +0000
Subject: [PATCH 03/20] Bug 36244: Do template toolkit processing first
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.

Test plan:

* review subtest 'Template toolkit syntax in
  parameters' in t/db_dependent/Letters.t
* Run the unit test:
  prove t/db_dependent/Letters.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 07ac3b0b9450f812bb48cfecf7bf3f47f63279b5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 20353e094a952f506b9be7f21740e1001fbdeb69)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 C4/Letters.pm | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/C4/Letters.pm b/C4/Letters.pm
index ab16f729c5..25300bd5ec 100644
--- a/C4/Letters.pm
+++ b/C4/Letters.pm
@@ -602,6 +602,28 @@ sub GetPreparedLetter {
          return;
     my $want_librarian = $params{want_librarian};
 
+    $letter->{content} = _process_tt(
+        {
+            content    => $letter->{content},
+            lang       => $lang,
+            loops      => $loops,
+            objects    => $objects,
+            substitute => $substitute,
+            tables     => $tables,
+        }
+    );
+
+    $letter->{title} = _process_tt(
+        {
+            content    => $letter->{title},
+            lang       => $lang,
+            loops      => $loops,
+            objects    => $objects,
+            substitute => $substitute,
+            tables     => $tables,
+        }
+    );
+
     if (%$substitute) {
         while ( my ($token, $val) = each %$substitute ) {
             $val //= q{};
@@ -672,28 +694,6 @@ sub GetPreparedLetter {
         }
     }
 
-    $letter->{content} = _process_tt(
-        {
-            content    => $letter->{content},
-            lang       => $lang,
-            loops      => $loops,
-            objects    => $objects,
-            substitute => $substitute,
-            tables     => $tables,
-        }
-    );
-
-    $letter->{title} = _process_tt(
-        {
-            content    => $letter->{title},
-            lang       => $lang,
-            loops      => $loops,
-            objects    => $objects,
-            substitute => $substitute,
-            tables     => $tables,
-        }
-    );
-
     $letter->{content} =~ s/<<\S*>>//go; #remove any stragglers
 
     return $letter;

From 652e3819bd35117aa7a388eeb06f8a9ee188b031 Mon Sep 17 00:00:00 2001
From: Kyle M Hall <kyle@bywatersolutions.com>
Date: Thu, 7 Mar 2024 11:10:35 -0500
Subject: [PATCH 04/20] Bug 36244: Add atomic update to check for affected
 notices

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Fixed some typos in bug numbers and text.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2e18611b7d8527c7ff9253a7669aad2c13a5afb0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../data/mysql/atomicupdate/bug_36244.pl      | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100755 installer/data/mysql/atomicupdate/bug_36244.pl

diff --git a/installer/data/mysql/atomicupdate/bug_36244.pl b/installer/data/mysql/atomicupdate/bug_36244.pl
new file mode 100755
index 0000000000..5fd40ecb2d
--- /dev/null
+++ b/installer/data/mysql/atomicupdate/bug_36244.pl
@@ -0,0 +1,27 @@
+use Modern::Perl;
+
+return {
+    bug_number  => "36244",
+    description => "Template Toolkit syntax not escaped in letter templates",
+    up          => sub {
+        my ($args) = @_;
+        my ( $dbh, $out ) = @$args{qw(dbh out)};
+
+        my $query = q{SELECT * FROM letter WHERE content LIKE "[|%%SET%<<%|%]" ESCAPE '|'};
+        my $sth   = $dbh->prepare($query);
+        $sth->execute();
+        if ( $sth->rows ) {
+            say $out "You have one or more templates that have been affected by bug 36244.";
+            say $out "These templates assign template toolkit variables values";
+            say $out "using the double arrows syntax. E.g. [% SET name = '<<branches.branchname>>' %]";
+            say $out
+                "This will no longer function correctly as Template Toolkit is now rendered before the double arrow syntax.";
+            say $out "The following notices will need to be updated:";
+
+            while ( my $row = $sth->fetchrow_hashref() ) {
+                say $out
+                    "ID: $row->{id} / MODULE: $row->{module} / CODE: $row->{code} / BRANCHCODE: $row->{branchcode} / NAME: $row->{name}";
+            }
+        }
+    },
+};

From 193ac375aa5e9f30b4a3421cdca54856ebce3ea8 Mon Sep 17 00:00:00 2001
From: Julian Maurice <julian.maurice@biblibre.com>
Date: Thu, 1 Feb 2024 09:15:23 +0100
Subject: [PATCH 05/20] Bug 35960: Use .val() instead of string concat to
 prevent potential XSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
index e87cb438c4..9ef3ebe7e0 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/auth.tt
@@ -219,7 +219,9 @@
     <script>
         $(document).ready( function() {
             if ( document.location.hash ) {
-                $( '#loginform' ).append( '<input name="auth_forwarded_hash" type="hidden" value="' + document.location.hash + '"/>' );
+                const input = $('<input name="auth_forwarded_hash" type="hidden">')
+                input.val(document.location.hash);
+                $( '#loginform' ).append( input );
             }
             // Clear last borrowers, rememberd sql reports, carts, etc.
             logOut();

From 7f885f405c99412cd3eee7e04b28a2969bd754c9 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 28 Feb 2024 16:28:33 +0100
Subject: [PATCH 06/20] Bug 36176: Reject cud- for stable branches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 30999e675f1bb9d0088d1fbd355a552e25b42f20)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-cud.t | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100755 xt/find-cud.t

diff --git a/xt/find-cud.t b/xt/find-cud.t
new file mode 100755
index 0000000000..0f0805773a
--- /dev/null
+++ b/xt/find-cud.t
@@ -0,0 +1,26 @@
+#!/usr/bin/perl
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use Test::More tests => 1;
+use Data::Dumper;
+
+my @files = `git grep 'cud-' ':(exclude)xt/find-cud.t'`;
+chomp for @files;
+
+is( @files, 0, "This branch is not supposed to have 'cud-', see bug 34478." )
+    or diag( Dumper \@files );

From 02fbf0412a8503282b501985fbef29b753a6e2f0 Mon Sep 17 00:00:00 2001
From: Fridolin Somers <fridolin.somers@biblibre.com>
Date: Mon, 18 Mar 2024 16:32:57 +0100
Subject: [PATCH 07/20] Bug 36323: Move koha_perl_deps.pl to misc/devel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit e865f1e1ae67266e822be2690dc5610b22cdded1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5aaa696afed47906b3f25e440c9a9243dbc1d489)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 koha_perl_deps.pl => misc/devel/koha_perl_deps.pl | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename koha_perl_deps.pl => misc/devel/koha_perl_deps.pl (100%)

diff --git a/koha_perl_deps.pl b/misc/devel/koha_perl_deps.pl
similarity index 100%
rename from koha_perl_deps.pl
rename to misc/devel/koha_perl_deps.pl

From 8f5caa38207cc9bd0465fb4a38fb5a9bbc94cfc4 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 14 Mar 2024 16:42:08 +0100
Subject: [PATCH 08/20] Bug 36322: Redirect docs dir to 404
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl

Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0cf08303932eea945d5c90cca0d5ca18fe8923d6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01f70904548e64c73f0ddd81a5559b5c3c69b620)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 debian/templates/apache-shared-intranet.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/templates/apache-shared-intranet.conf b/debian/templates/apache-shared-intranet.conf
index dbeaf0dca5..bc78833b08 100644
--- a/debian/templates/apache-shared-intranet.conf
+++ b/debian/templates/apache-shared-intranet.conf
@@ -13,7 +13,7 @@ ScriptAlias /search "/usr/share/koha/intranet/cgi-bin/catalogue/search.pl"
 
 # Protect dev package install
 RewriteEngine on
-RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
+RewriteRule ^/cgi-bin/koha/(C4|debian|docs|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]
 
 RewriteRule ^/bib/([^\/]*)/?$ /cgi-bin/koha/catalogue/detail.pl?biblionumber=$1 [PT]
 RewriteRule ^/isbn/([^\/]*)/?$ /search?q=isbn:$1 [PT]

From 0a34cdc9e3c730471cf8a5977aaa00e2114bd55a Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 15 Mar 2024 10:12:41 +0100
Subject: [PATCH 09/20] Bug 31988: Remove reports/itemtypes.plugin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.

Test plan:
Same behaviour expected before and after this patch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 499fe0bea7d995358bd45da2bea7058d803f2b4e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e2c5e7b88bb9bbc2888129a8f782841f6f5fcff9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 .../prog/en/includes/reports-menu.inc         |  2 +-
 .../prog/en/modules/reports/itemtypes.tt      |  4 +-
 .../prog/en/modules/reports/reports-home.tt   |  2 +-
 reports/catalog_by_itemtype.pl                | 99 +++++++++++++++++++
 reports/itemtypes.plugin                      | 85 ----------------
 reports/manager.pl                            | 53 ----------
 6 files changed, 103 insertions(+), 142 deletions(-)
 create mode 100755 reports/catalog_by_itemtype.pl
 delete mode 100755 reports/itemtypes.plugin
 delete mode 100755 reports/manager.pl

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
index 3727737311..212313086a 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/reports-menu.inc
@@ -52,7 +52,7 @@
         <ul>
             <li><a href="/cgi-bin/koha/reports/itemslost.pl">Lost items</a></li>
             <li><a href="/cgi-bin/koha/reports/orders_by_fund.pl">Orders by fund</a></li>
-            <li><a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a></li>
+            <li><a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a></li>
             <li><a href="/cgi-bin/koha/reports/issues_avg_stats.pl">Average loan time</a></li>
         </ul>
     </div>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
index 4cbcac58ec..df8c430781 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/itemtypes.tt
@@ -22,7 +22,7 @@
         [% END %]
         [% IF ( do_it ) %]
             [% WRAPPER breadcrumb_item %]
-                <a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a>
+                <a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a>
             [% END %]
             [% WRAPPER breadcrumb_item bc_active= 1 %]
                 <span>Results</span>
@@ -69,7 +69,7 @@
 [% END %]
 [% ELSE %]
         <h1>View a count of items held at your library grouped by item type</h1>
-        <form method="post" action="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">
+        <form method="post" action="/cgi-bin/koha/reports/catalog_by_itemtype.pl">
           <fieldset class="rows">
             <ol>
               <li>
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
index 2108e2c0b4..99c15aa758 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/reports-home.tt
@@ -87,7 +87,7 @@
         <ul>
             <li><a href="/cgi-bin/koha/reports/itemslost.pl">Items lost</a></li>
             <li><a href="/cgi-bin/koha/reports/orders_by_fund.pl">Orders by fund</a></li>
-            <li><a href="/cgi-bin/koha/reports/manager.pl?report_name=itemtypes">Catalog by item type</a></li>
+            <li><a href="/cgi-bin/koha/reports/catalog_by_itemtype.pl">Catalog by item type</a></li>
             <li><a href="/cgi-bin/koha/reports/issues_avg_stats.pl">Average loan time</a></li>
             [% SET koha_version = Koha.Version %]
             [% IF koha_version.development %]
diff --git a/reports/catalog_by_itemtype.pl b/reports/catalog_by_itemtype.pl
new file mode 100755
index 0000000000..fcaf5f17ef
--- /dev/null
+++ b/reports/catalog_by_itemtype.pl
@@ -0,0 +1,99 @@
+#!/usr/bin/perl
+
+# Copyright 2000-2002 Katipo Communications
+#
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use C4::Auth qw( get_template_and_user );
+use CGI qw ( -utf8 );
+use C4::Context;
+use C4::Output qw( output_html_with_http_headers );
+
+my $input          = CGI->new;
+my $report_name    = $input->param("report_name");
+my $do_it          = $input->param('do_it');
+my $fullreportname = "reports/itemtypes.tt";
+my @values         = $input->multi_param("value");
+my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
+    {
+        template_name => $fullreportname,
+        query         => $input,
+        type          => "intranet",
+        flagsrequired => { reports => '*' },
+    }
+);
+$template->param(
+    do_it => $do_it,
+);
+if ($do_it) {
+    my $results = calculate( \@values );
+    $template->param( mainloop => $results );
+}
+output_html_with_http_headers $input, $cookie, $template->output;
+
+sub calculate {
+    my ($parameters) = @_;
+    my @results      = ();
+    my $branch       = @$parameters[0];
+    my $dbh          = C4::Context->dbh;
+    my $sth;
+    if ( C4::Context->preference('item-level_itypes') ) {
+        $sth = $dbh->prepare(
+            q|
+            SELECT itemtypes.itemtype, description, COUNT(*) AS total
+            FROM itemtypes, items
+            WHERE items.itype=itemtypes.itemtype
+            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
+            GROUP BY itemtypes.itemtype, description, items.itype
+            ORDER BY itemtypes.description
+        |
+        );
+    } else {
+        $sth = $dbh->prepare(
+            q|
+            SELECT itemtypes.itemtype, description, COUNT(*) AS total
+            FROM itemtypes, biblioitems, items
+            WHERE biblioitems.itemtype=itemtypes.itemtype
+            AND items.biblioitemnumber=biblioitems.biblioitemnumber
+            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
+            GROUP BY itemtypes.itemtype, description
+            ORDER BY itemtypes.description
+        |
+        );
+    }
+    $sth->execute( $branch || () );
+    my ( $itemtype, $description, $total );
+    my $grantotal = 0;
+    my $count     = 0;
+    while ( ( $itemtype, $description, $total ) = $sth->fetchrow ) {
+        my %line;
+        $line{itemtype} = $itemtype;
+        $line{count}    = $total;
+        $grantotal += $total;
+        push @results, \%line;
+        $count++;
+    }
+    my @mainloop;
+    my %globalline;
+    $globalline{loopitemtype} = \@results;
+    $globalline{total}        = $grantotal;
+    $globalline{branch}       = $branch;
+    push @mainloop, \%globalline;
+    return \@mainloop;
+}
+
+1;
diff --git a/reports/itemtypes.plugin b/reports/itemtypes.plugin
deleted file mode 100755
index ec2c535182..0000000000
--- a/reports/itemtypes.plugin
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/perl
-
-
-# Copyright 2000-2002 Katipo Communications
-#
-# This file is part of Koha.
-#
-# Koha is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# Koha is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Koha; if not, see <http://www.gnu.org/licenses>.
-
-use strict;
-use C4::Auth;
-use CGI qw ( -utf8 );
-use C4::Context;
-use C4::Search;
-use C4::Output;
-use C4::Koha;
-=head1
-
-=cut
-
-sub set_parameters {
-    my ($template) = @_;
-    return $template;
-}
-
-sub calculate {
-	my ($parameters) = @_;
-	my @results =();
-	my $branch = @$parameters[0];
-	my $dbh = C4::Context->dbh;
-	my $sth;
-    if ( C4::Context->preference('item-level_itypes') ) {
-        $sth = $dbh->prepare( q|
-            SELECT itemtypes.itemtype, description, COUNT(*) AS total
-            FROM itemtypes, items
-            WHERE items.itype=itemtypes.itemtype
-            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
-            GROUP BY itemtypes.itemtype, description, items.itype
-            ORDER BY itemtypes.description
-        |);
-    }
-    else {
-        $sth = $dbh->prepare( q|
-            SELECT itemtypes.itemtype, description, COUNT(*) AS total
-            FROM itemtypes, biblioitems, items
-            WHERE biblioitems.itemtype=itemtypes.itemtype
-            AND items.biblioitemnumber=biblioitems.biblioitemnumber
-            | . ( $branch ? q| AND items.holdingbranch=? | : () ) . q|
-            GROUP BY itemtypes.itemtype, description
-            ORDER BY itemtypes.description
-        |);
-    }
-    $sth->execute($branch || ());
-    my ($itemtype, $description,$total);
-	my $grantotal = 0;
-	my $count = 0;
-    while (($itemtype, $description,$total) = $sth->fetchrow) {
-		my %line;
-        $line{itemtype} = $itemtype;
-		$line{count} = $total;
-		$grantotal += $total;
-		push @results,\%line;
-		$count ++;
-	}
-	my @mainloop;
-	my %globalline;
-	$globalline{loopitemtype} = \@results;
-	$globalline{total} = $grantotal;
-	$globalline{branch} = $branch;
-	push @mainloop,\%globalline;
-	return \@mainloop;
-}
-
-1;
diff --git a/reports/manager.pl b/reports/manager.pl
deleted file mode 100755
index ff174f00d3..0000000000
--- a/reports/manager.pl
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/perl
-
-# Copyright 2000-2002 Katipo Communications
-#
-# This file is part of Koha.
-#
-# Koha is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# Koha is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with Koha; if not, see <http://www.gnu.org/licenses>.
-
-use Modern::Perl;
-use CGI qw ( -utf8 );
-use C4::Auth qw( get_template_and_user );
-use C4::Context;
-use C4::Output qw( output_html_with_http_headers );
-
-
-my $input = CGI->new;
-my $report_name=$input->param("report_name");
-my $do_it=$input->param('do_it');
-my $fullreportname = "reports/".$report_name.".tt";
-my @values = $input->multi_param("value");
-my ($template, $borrowernumber, $cookie)
-	= get_template_and_user({template_name => $fullreportname,
-				query => $input,
-				type => "intranet",
-				flagsrequired => {reports => '*'},
-				});
-$template->param(do_it => $do_it,
-		report_name => $report_name,
-		);
-my $cgidir = C4::Context->config('intranetdir')."/cgi-bin/reports/";
-unless (-r $cgidir and -d $cgidir) {
-    $cgidir = C4::Context->config('intranetdir')."/reports/";
-} 
-my $plugin = $cgidir.$report_name.".plugin";
-require $plugin;
-if ($do_it) {
-	my $results = calculate(\@values);
-	$template->param(mainloop => $results);
-} else {
-	$template = set_parameters($template);
-}
-output_html_with_http_headers $input, $cookie, $template->output;

From decfeadb5ea8d63ba7df98dabdbe1f83e6619c9a Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Tue, 17 Mar 2020 11:54:12 +0100
Subject: [PATCH 10/20] Bug 24879: Add new test to catch missing auth statement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

in intranet scripts

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8784a7e9ffe9fd5f22be133693d0d301f572e82d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 97ded9347cb21d4016f8d7cc42a360bad22490d7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-missing-auth_checks.t | 72 +++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100755 xt/find-missing-auth_checks.t

diff --git a/xt/find-missing-auth_checks.t b/xt/find-missing-auth_checks.t
new file mode 100755
index 0000000000..bc9af3a6c2
--- /dev/null
+++ b/xt/find-missing-auth_checks.t
@@ -0,0 +1,72 @@
+#!/usr/bin/perl
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use Test::More;
+
+use File::Spec;
+use File::Find;
+
+my @files;
+sub wanted {
+    my $name = $File::Find::name;
+    push @files, $name
+      if $name =~ m{^\./(
+           acqui
+          |admin
+          |authorities
+          |basket
+          |catalogue
+          |cataloguing
+          |circ
+          |clubs
+          |course_reserves
+          |installer
+          |labels
+          |members
+          |patroncards
+          |pos
+          |reports
+          |reserve
+          |reviews
+          |rotating_collections
+          |serials
+          |services
+          |suggestion
+          |svc
+          |tags
+          |tools
+          |virtualshelves
+        )}xms
+      && $name =~ m{\.(pl)$}
+      && -f $name;
+}
+
+find({ wanted => \&wanted, no_chdir => 1 }, File::Spec->curdir());
+
+my @missing_auth_check;
+FILE: foreach my $name (@files) {
+    open( FILE, $name ) || die "cannot open file $name $!";
+    while ( my $line = <FILE> ) {
+        for my $routine ( qw( get_template_and_user check_cookie_auth checkauth check_api_auth ) ) {
+            next FILE if $line =~ m|^[^#]*$routine|;
+        }
+    }
+    push @missing_auth_check, $name;
+}
+is( scalar @missing_auth_check, 0 ) or diag "No auth check in the following files:\n" . join "\n", @missing_auth_check;
+done_testing;

From ff7f48c296d92cd27508075b9c3ecc35bcb568fe Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 14 Mar 2024 16:14:17 +0100
Subject: [PATCH 11/20] Bug 24879: Remove installer/externalmodules.pl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is not used, if we need it back it must be moved to misc.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90fe13e23976e2de81adc14fbabfb99660320989)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 917889bc77029ee632748e444523047b1aceed03)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 installer/externalmodules.pl | 27 ---------------------------
 1 file changed, 27 deletions(-)
 delete mode 100755 installer/externalmodules.pl

diff --git a/installer/externalmodules.pl b/installer/externalmodules.pl
deleted file mode 100755
index f836ccf023..0000000000
--- a/installer/externalmodules.pl
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/usr/bin/perl
-
-# This Script can be used to provide a list of ALL external modules ***used*** (uncommented) in Koha.
-# It provides you not only the list of modules BUT ALSO the files that uses those modules.
-# utf8 or warnings or other lib use are not taken into account at the moment.
-
-use Modern::Perl;
-use C4::Context;
-
-my $dir=C4::Context->config('intranetdir');
-qx(grep -r "^ *use" $dir | grep -v "C4\|strict\|vars" >/tmp/modulesKoha.log);
-$dir=C4::Context->config('opacdir');
-qx(grep -r "^ *use" $dir | grep -v "C4\|strict\|vars" >>/tmp/modulesKoha.log);
-
-open my $fh, '<', '/tmp/modulesKoha.log' ||die "unable to open file /tmp/modulesKoha.log";
-my %modulehash;
-while (my $line=<$fh>){
-  if ( $line=~m#(.*)\:\s*use\s+([A-Z][^\s;]+)# ){
-    my ($file,$module)=($1,$2);
-    my @filename = split /\//, $file;
-    push @{$modulehash{$module}},$filename[scalar(@filename) - 1];
-  }
-}
-print "external modules used in Koha ARE :\n";
-map {print "* $_ \t in files ",join (",",@{$modulehash{$_}}),"\n" } sort keys %modulehash;
-close $fh;
-unlink "/tmp/modulesKoha.log";

From 9011568676fae889a1a138a7cd28885ee8d80eba Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 14 Mar 2024 16:17:55 +0100
Subject: [PATCH 12/20] Bug 24879: Adjust tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6d61091f1ac8e66d2fdaac9a31530dfc7a7eb5fc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2cb014d18387eb87387f6a2dae34f5d16d774303)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-missing-auth_checks.t | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/xt/find-missing-auth_checks.t b/xt/find-missing-auth_checks.t
index bc9af3a6c2..77909bd5c9 100755
--- a/xt/find-missing-auth_checks.t
+++ b/xt/find-missing-auth_checks.t
@@ -35,7 +35,6 @@ sub wanted {
           |circ
           |clubs
           |course_reserves
-          |installer
           |labels
           |members
           |patroncards
@@ -62,7 +61,7 @@ my @missing_auth_check;
 FILE: foreach my $name (@files) {
     open( FILE, $name ) || die "cannot open file $name $!";
     while ( my $line = <FILE> ) {
-        for my $routine ( qw( get_template_and_user check_cookie_auth checkauth check_api_auth ) ) {
+        for my $routine ( qw( get_template_and_user check_cookie_auth checkauth check_api_auth C4::Service->init ) ) {
             next FILE if $line =~ m|^[^#]*$routine|;
         }
     }

From c76b77ad42d8e20d399cd943bdbbdc25c4619d7c Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 14 Mar 2024 16:19:06 +0100
Subject: [PATCH 13/20] Bug 24879: Add check_cookie_auth when missing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 496c8c4e2d9199a38c796fdd6f63d89d8c6b215d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 309e976765f593d6ec2b857295dc58e57d58900e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 acqui/check_uniqueness.pl                      |  7 +++++++
 catalogue/image.pl                             |  7 +++++++
 cataloguing/plugin_launcher.pl                 |  8 ++++++++
 cataloguing/value_builder/barcode.pl           | 10 ++++++++++
 cataloguing/value_builder/barcode_manual.pl    | 10 ++++++++++
 cataloguing/value_builder/dateaccessioned.pl   | 10 ++++++++++
 cataloguing/value_builder/marc21_field_005.pl  | 10 ++++++++++
 cataloguing/value_builder/marc21_field_245h.pl | 12 +++++++++++-
 cataloguing/value_builder/marc21_field_260b.pl | 10 ++++++++++
 cataloguing/value_builder/marc21_orgcode.pl    |  9 +++++++++
 cataloguing/value_builder/stocknumber.pl       |  9 +++++++++
 cataloguing/value_builder/upload.pl            | 10 ++++++++++
 labels/label-create-csv.pl                     |  6 ++++++
 labels/label-create-xml.pl                     |  6 ++++++
 serials/lateissues-export.pl                   |  7 +++++++
 15 files changed, 130 insertions(+), 1 deletion(-)

diff --git a/acqui/check_uniqueness.pl b/acqui/check_uniqueness.pl
index b665b34c3a..791814095f 100755
--- a/acqui/check_uniqueness.pl
+++ b/acqui/check_uniqueness.pl
@@ -37,6 +37,13 @@ use C4::Output qw( output_with_http_headers );
 use C4::Items qw( SearchItems );
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my @field = $input->multi_param('field[]');
 my @value = $input->multi_param('value[]');
 
diff --git a/catalogue/image.pl b/catalogue/image.pl
index 41eebc019c..efdcae4937 100755
--- a/catalogue/image.pl
+++ b/catalogue/image.pl
@@ -33,6 +33,13 @@ use Koha::CoverImages;
 $| = 1;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $imagenumber;
 
 =head1 NAME
diff --git a/cataloguing/plugin_launcher.pl b/cataloguing/plugin_launcher.pl
index 90105f326c..b31ca52c89 100755
--- a/cataloguing/plugin_launcher.pl
+++ b/cataloguing/plugin_launcher.pl
@@ -19,10 +19,18 @@
 
 use Modern::Perl;
 use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
 
 use Koha::FrameworkPlugin;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $plugin= Koha::FrameworkPlugin->new( {
     name => scalar $input->param("plugin_name"),
 });
diff --git a/cataloguing/value_builder/barcode.pl b/cataloguing/value_builder/barcode.pl
index b166b46c4d..5ec7dbece4 100755
--- a/cataloguing/value_builder/barcode.pl
+++ b/cataloguing/value_builder/barcode.pl
@@ -29,6 +29,16 @@ use Koha::DateUtils qw( dt_from_string );
 
 use Algorithm::CheckDigits qw( CheckDigits );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/barcode_manual.pl b/cataloguing/value_builder/barcode_manual.pl
index a7d015ba7a..67891789e3 100755
--- a/cataloguing/value_builder/barcode_manual.pl
+++ b/cataloguing/value_builder/barcode_manual.pl
@@ -27,6 +27,16 @@ use C4::Barcodes::ValueBuilder;
 use C4::Biblio qw( GetMarcFromKohaField );
 use Koha::DateUtils qw( dt_from_string );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/dateaccessioned.pl b/cataloguing/value_builder/dateaccessioned.pl
index 808fc80116..c4f7746b7f 100755
--- a/cataloguing/value_builder/dateaccessioned.pl
+++ b/cataloguing/value_builder/dateaccessioned.pl
@@ -21,6 +21,16 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_field_005.pl b/cataloguing/value_builder/marc21_field_005.pl
index 545a1a4f91..6428bd61a9 100755
--- a/cataloguing/value_builder/marc21_field_005.pl
+++ b/cataloguing/value_builder/marc21_field_005.pl
@@ -21,6 +21,16 @@
 
 use Modern::Perl;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_field_245h.pl b/cataloguing/value_builder/marc21_field_245h.pl
index 667ae2249a..4fe4a2f1e7 100755
--- a/cataloguing/value_builder/marc21_field_245h.pl
+++ b/cataloguing/value_builder/marc21_field_245h.pl
@@ -20,7 +20,17 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
-use C4::Context;
+
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/marc21_field_260b.pl b/cataloguing/value_builder/marc21_field_260b.pl
index 406feb4122..e9a74a07ba 100755
--- a/cataloguing/value_builder/marc21_field_260b.pl
+++ b/cataloguing/value_builder/marc21_field_260b.pl
@@ -27,6 +27,16 @@ biblioitems.publishercode
 use Modern::Perl;
 use C4::Context;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};
diff --git a/cataloguing/value_builder/marc21_orgcode.pl b/cataloguing/value_builder/marc21_orgcode.pl
index aa9142cfc7..0dd985803c 100755
--- a/cataloguing/value_builder/marc21_orgcode.pl
+++ b/cataloguing/value_builder/marc21_orgcode.pl
@@ -24,6 +24,15 @@ use Modern::Perl;
 use C4::Context;
 
 use Koha::Libraries;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/stocknumber.pl b/cataloguing/value_builder/stocknumber.pl
index 51d7a1986c..61885d12b0 100755
--- a/cataloguing/value_builder/stocknumber.pl
+++ b/cataloguing/value_builder/stocknumber.pl
@@ -21,6 +21,15 @@
 
 use Modern::Perl;
 use C4::Context;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;
diff --git a/cataloguing/value_builder/upload.pl b/cataloguing/value_builder/upload.pl
index 82b9816f62..eeb422d525 100755
--- a/cataloguing/value_builder/upload.pl
+++ b/cataloguing/value_builder/upload.pl
@@ -30,6 +30,16 @@ use Modern::Perl;
 # the possibility to delete the uploaded file. If the field is empty, you
 # can upload a new file.
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     return <<"SCRIPT";
diff --git a/labels/label-create-csv.pl b/labels/label-create-csv.pl
index 8c06a41a0b..80c662e85a 100755
--- a/labels/label-create-csv.pl
+++ b/labels/label-create-csv.pl
@@ -26,6 +26,12 @@ use Text::CSV_XS;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;
diff --git a/labels/label-create-xml.pl b/labels/label-create-xml.pl
index 3962cfb502..a3bec34ec0 100755
--- a/labels/label-create-xml.pl
+++ b/labels/label-create-xml.pl
@@ -26,6 +26,12 @@ use XML::Simple;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;
diff --git a/serials/lateissues-export.pl b/serials/lateissues-export.pl
index af83f2c6f6..f82b9f1e18 100755
--- a/serials/lateissues-export.pl
+++ b/serials/lateissues-export.pl
@@ -27,6 +27,13 @@ use Koha::CsvProfiles;
 use Text::CSV_XS;
 
 my $query = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $query->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $query->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $supplierid = $query->param('supplierid');
 my @serialids = $query->multi_param('serialid');
 my $op = $query->param('op') || q{};

From 9845a19a4feea12859daa9d6ffb7081af755a161 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 14 Mar 2024 16:53:35 +0100
Subject: [PATCH 14/20] Bug 24879: Use perl shebang to list the exec
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit f4a52fbc317067b62881110557aeb2b2cc63c41e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5d713e293d5e3b28f1f0611855df88ea886de9e1)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-missing-auth_checks.t | 50 +++++++----------------------------
 1 file changed, 10 insertions(+), 40 deletions(-)

diff --git a/xt/find-missing-auth_checks.t b/xt/find-missing-auth_checks.t
index 77909bd5c9..d86fab2917 100755
--- a/xt/find-missing-auth_checks.t
+++ b/xt/find-missing-auth_checks.t
@@ -18,54 +18,24 @@
 use Modern::Perl;
 use Test::More;
 
-use File::Spec;
-use File::Find;
+use File::Slurp qw(read_file);
 
-my @files;
-sub wanted {
-    my $name = $File::Find::name;
-    push @files, $name
-      if $name =~ m{^\./(
-           acqui
-          |admin
-          |authorities
-          |basket
-          |catalogue
-          |cataloguing
-          |circ
-          |clubs
-          |course_reserves
-          |labels
-          |members
-          |patroncards
-          |pos
-          |reports
-          |reserve
-          |reviews
-          |rotating_collections
-          |serials
-          |services
-          |suggestion
-          |svc
-          |tags
-          |tools
-          |virtualshelves
-        )}xms
-      && $name =~ m{\.(pl)$}
-      && -f $name;
-}
+my @excluded_paths = qw(C4 debian docs etc installer/data install_misc Koha misc selenium t test tmp xt changelanguage.pl build-resources.PL fix-perl-path.PL );
+push @excluded_paths, 'opac'; # We cannot test the OPAC scripts, some can be accessed without authentication
 
-find({ wanted => \&wanted, no_chdir => 1 }, File::Spec->curdir());
+my $grep_cmd      = q{git grep -l '#!/usr/bin/perl' -- } . join( ' ', map { qq{':!$_'} } @excluded_paths );
+my @files         = `$grep_cmd`;
 
 my @missing_auth_check;
-FILE: foreach my $name (@files) {
-    open( FILE, $name ) || die "cannot open file $name $!";
-    while ( my $line = <FILE> ) {
+FILE: foreach my $file (@files) {
+    chomp $file;
+    my @lines = read_file($file);
+    for my $line ( @lines ) {
         for my $routine ( qw( get_template_and_user check_cookie_auth checkauth check_api_auth C4::Service->init ) ) {
             next FILE if $line =~ m|^[^#]*$routine|;
         }
     }
-    push @missing_auth_check, $name;
+    push @missing_auth_check, $file;
 }
 is( scalar @missing_auth_check, 0 ) or diag "No auth check in the following files:\n" . join "\n", @missing_auth_check;
 done_testing;

From b37b4e821713a2702024597bc9df895553f0e00f Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 15 Mar 2024 10:19:16 +0100
Subject: [PATCH 15/20] Bug 24879: Exclude koha_perl_deps.pl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

And tidy.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 171197bf2353c0c415d25be127073ad13a9d86bc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ab6e314da2bf24b2b93ee72e1adb312676321ed4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-missing-auth_checks.t | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/xt/find-missing-auth_checks.t b/xt/find-missing-auth_checks.t
index d86fab2917..a1a5c0d594 100755
--- a/xt/find-missing-auth_checks.t
+++ b/xt/find-missing-auth_checks.t
@@ -20,18 +20,19 @@ use Test::More;
 
 use File::Slurp qw(read_file);
 
-my @excluded_paths = qw(C4 debian docs etc installer/data install_misc Koha misc selenium t test tmp xt changelanguage.pl build-resources.PL fix-perl-path.PL );
-push @excluded_paths, 'opac'; # We cannot test the OPAC scripts, some can be accessed without authentication
+my @excluded_paths =
+    qw(C4 debian docs etc installer/data install_misc Koha misc selenium t test tmp xt changelanguage.pl build-resources.PL fix-perl-path.PL koha_perl_deps.pl );
+push @excluded_paths, 'opac';    # We cannot test the OPAC scripts, some can be accessed without authentication
 
-my $grep_cmd      = q{git grep -l '#!/usr/bin/perl' -- } . join( ' ', map { qq{':!$_'} } @excluded_paths );
-my @files         = `$grep_cmd`;
+my $grep_cmd = q{git grep -l '#!/usr/bin/perl' -- } . join( ' ', map { qq{':!$_'} } @excluded_paths );
+my @files    = `$grep_cmd`;
 
 my @missing_auth_check;
 FILE: foreach my $file (@files) {
     chomp $file;
     my @lines = read_file($file);
-    for my $line ( @lines ) {
-        for my $routine ( qw( get_template_and_user check_cookie_auth checkauth check_api_auth C4::Service->init ) ) {
+    for my $line (@lines) {
+        for my $routine (qw( get_template_and_user check_cookie_auth checkauth check_api_auth C4::Service->init )) {
             next FILE if $line =~ m|^[^#]*$routine|;
         }
     }

From 67f842d0c2e90bb9c4b1876e3b94b34b97fadd51 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Demians?= <f.demians@tamil.fr>
Date: Mon, 25 Mar 2024 10:47:59 +0000
Subject: [PATCH 16/20] Bug 36244: DBRev 22.11.15.001

---
 Koha.pm                                                         | 2 +-
 .../mysql/{atomicupdate/bug_36244.pl => db_revs/221115001.pl}   | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename installer/data/mysql/{atomicupdate/bug_36244.pl => db_revs/221115001.pl} (100%)

diff --git a/Koha.pm b/Koha.pm
index 9fccf7c268..ea77fab5c2 100644
--- a/Koha.pm
+++ b/Koha.pm
@@ -29,7 +29,7 @@ use vars qw{ $VERSION };
 # - #4 : the developer version. The 4th number is the database subversion.
 #        used by developers when the database changes. updatedatabase take care of the changes itself
 #        and is automatically called by Auth.pm when needed.
-$VERSION = "22.11.15.000";
+$VERSION = "22.11.15.001";
 
 sub version {
     return $VERSION;
diff --git a/installer/data/mysql/atomicupdate/bug_36244.pl b/installer/data/mysql/db_revs/221115001.pl
similarity index 100%
rename from installer/data/mysql/atomicupdate/bug_36244.pl
rename to installer/data/mysql/db_revs/221115001.pl

From ca63c7d1f0402468513381cbddad04e2cac984e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Demians?= <f.demians@tamil.fr>
Date: Mon, 25 Mar 2024 10:50:48 +0000
Subject: [PATCH 17/20] Increment version for 22.11.16 release

---
 Koha.pm                                   | 2 +-
 installer/data/mysql/db_revs/221116000.pl | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100755 installer/data/mysql/db_revs/221116000.pl

diff --git a/Koha.pm b/Koha.pm
index ea77fab5c2..38e852024c 100644
--- a/Koha.pm
+++ b/Koha.pm
@@ -29,7 +29,7 @@ use vars qw{ $VERSION };
 # - #4 : the developer version. The 4th number is the database subversion.
 #        used by developers when the database changes. updatedatabase take care of the changes itself
 #        and is automatically called by Auth.pm when needed.
-$VERSION = "22.11.15.001";
+$VERSION = "22.11.16.000";
 
 sub version {
     return $VERSION;
diff --git a/installer/data/mysql/db_revs/221116000.pl b/installer/data/mysql/db_revs/221116000.pl
new file mode 100755
index 0000000000..6896a11353
--- /dev/null
+++ b/installer/data/mysql/db_revs/221116000.pl
@@ -0,0 +1,7 @@
+use Modern::Perl;
+
+return {
+    bug_number  => undef,
+    description => 'Koha 22.11.16 release',
+    up          => sub { },
+}

From eec863243e3de519cc2f28929e3943d3bce5dfaf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Demians?= <f.demians@tamil.fr>
Date: Mon, 25 Mar 2024 11:04:54 +0000
Subject: [PATCH 18/20] Update release notes for 22.11.16 release

---
 .../release_notes/release_notes_22_11_16.html | 304 ++++++++++++++++++
 misc/release_notes/release_notes_22_11_16.md  | 266 +++++++++++++++
 2 files changed, 570 insertions(+)
 create mode 100644 misc/release_notes/release_notes_22_11_16.html
 create mode 100644 misc/release_notes/release_notes_22_11_16.md

diff --git a/misc/release_notes/release_notes_22_11_16.html b/misc/release_notes/release_notes_22_11_16.html
new file mode 100644
index 0000000000..a1578f3ad2
--- /dev/null
+++ b/misc/release_notes/release_notes_22_11_16.html
@@ -0,0 +1,304 @@
+<h1 id="releasenotesforkoha22.11.16">RELEASE NOTES FOR KOHA 22.11.16</h1>
+
+<p>25 Mar 2024</p>
+
+<p>Koha is the first free and open source software library automation
+package (ILS). Development is sponsored by libraries of varying types
+and sizes, volunteers, and support companies from around the world. The
+website for the Koha project is:</p>
+
+<ul>
+<li><a href="http://koha-community.org">Koha Community</a></li>
+</ul>
+
+<p>Koha 22.11.16 can be downloaded from:</p>
+
+<ul>
+<li><a href="http://download.koha-community.org/koha-22.11.16.tar.gz">Download</a></li>
+</ul>
+
+<p>Installation instructions can be found at:</p>
+
+<ul>
+<li><a href="http://wiki.koha-community.org/wiki/Installation_Documentation">Koha Wiki</a></li>
+<li>OR in the INSTALL files that come in the tarball</li>
+</ul>
+
+<p>Koha 22.11.16 is a bugfix/maintenance release with security fixes.</p>
+
+<p>It includes 3 bugfixes.</p>
+
+<p><strong>System requirements</strong></p>
+
+<p>You can learn about the system components (like OS and database) needed for running Koha on the <a href="https://wiki.koha-community.org/wiki/System_requirements_and_recommendations">community wiki</a>.</p>
+
+<h2 id="bugfixes">Bugfixes</h2>
+
+<h3 id="architectureinternalsandplumbing">Architecture, internals, and plumbing</h3>
+
+<h4 id="otherbugsfixed">Other bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36176">36176</a> [23.11 and below] We need tests to check for 'cud-' operations in stable branches (pre-24.05)</li>
+</ul>
+
+<h3 id="opac">OPAC</h3>
+
+<h4 id="otherbugsfixed">Other bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35942">35942</a> OPAC user can enroll several times to the same club</li>
+</ul>
+
+<h3 id="reports">Reports</h3>
+
+<h4 id="criticalbugsfixed">Critical bugs fixed</h4>
+
+<ul>
+<li><a href="http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31988">31988</a> manager.pl is only user for "Catalog by item type" report</li>
+</ul>
+
+<h2 id="documentation">Documentation</h2>
+
+<p>The Koha manual is maintained in Sphinx. The home page for Koha
+documentation is</p>
+
+<ul>
+<li><p><a href="http://koha-community.org/documentation/">Koha Documentation</a>
+As of the date of these release notes, the Koha manual is available in the following languages:</p></li>
+<li><p><a href="https://koha-community.org/manual/22.11//html/">Chinese (Traditional)</a> (63%)</p></li>
+<li><a href="https://koha-community.org/manual/22.11//html/">English</a> (100%)</li>
+<li><a href="https://koha-community.org/manual/22.11/en/html/">English (USA)</a></li>
+<li><a href="https://koha-community.org/manual/22.11/fr/html/">French</a> (41%)</li>
+<li><a href="https://koha-community.org/manual/22.11/de/html/">German</a> (40%)</li>
+<li><a href="https://koha-community.org/manual/22.11/hi/html/">Hindi</a> (75%)</li>
+</ul>
+
+<p>The Git repository for the Koha manual can be found at</p>
+
+<ul>
+<li><a href="https://gitlab.com/koha-community/koha-manual">Koha Git Repository</a></li>
+</ul>
+
+<h2 id="translations">Translations</h2>
+
+<p>Complete or near-complete translations of the OPAC and staff
+interface are available in this release for the following languages:</p>
+
+<div style="column-count: 2;">
+
+- Arabic (ar_ARAB) (75%)
+- Armenian (hy_ARMN) (100%)
+- Bulgarian (bg_CYRL) (100%)
+- Chinese (Traditional) (81%)
+- Czech (71%)
+- Dutch (88%)
+- English (100%)
+- English (New Zealand) (69%)
+- English (USA)
+- English (United Kingdom) (99%)
+- Finnish (96%)
+- French (99%)
+- French (Canada) (96%)
+- German (100%)
+- German (Switzerland) (56%)
+- Greek (57%)
+- Hindi (100%)
+- Italian (92%)
+- Norwegian Bokmål (69%)
+- Persian (fa_ARAB) (75%)
+- Polish (99%)
+- Portuguese (Brazil) (99%)
+- Portuguese (Portugal) (88%)
+- Russian (94%)
+- Slovak (67%)
+- Spanish (100%)
+- Swedish (88%)
+- Telugu (77%)
+- Turkish (88%)
+- Ukrainian (79%)
+- hyw_ARMN (generated) (hyw_ARMN) (70%)
+</div>
+
+<p>Partial translations are available for various other languages.</p>
+
+<p>The Koha team welcomes additional translations; please see</p>
+
+<ul>
+<li><a href="http://wiki.koha-community.org/wiki/Translating_Koha">Koha Translation Info</a></li>
+</ul>
+
+<p>For information about translating Koha, and join the koha-translate 
+list to volunteer:</p>
+
+<ul>
+<li><a href="http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-translate">Koha Translate List</a></li>
+</ul>
+
+<p>The most up-to-date translations can be found at:</p>
+
+<ul>
+<li><a href="http://translate.koha-community.org/">Koha Translation</a></li>
+</ul>
+
+<h2 id="releaseteam">Release Team</h2>
+
+<p>The release team for Koha 22.11.16 is</p>
+
+<ul>
+<li><p>Release Manager: Katrin Fischer</p></li>
+<li><p>Release Manager assistants:</p>
+
+<ul>
+<li>Tomás Cohen Arazi</li>
+<li>Martin Renvoize</li>
+<li>Jonathan Druart</li>
+</ul></li>
+<li><p>QA Manager: Marcel de Rooy</p></li>
+<li><p>QA Team:</p>
+
+<ul>
+<li>Marcel de Rooy</li>
+<li>Julian Maurice</li>
+<li>Lucas Gass</li>
+<li>Victor Grousset</li>
+<li>Kyle M Hall</li>
+<li>Nick Clemens</li>
+<li>Martin Renvoize</li>
+<li>Tomás Cohen Arazi</li>
+<li>Aleisha Amohia</li>
+<li>Emily Lamancusa</li>
+<li>David Cook</li>
+<li>Jonathan Druart</li>
+<li>Pedor Amorim</li>
+</ul></li>
+<li><p>Topic Experts:</p>
+
+<ul>
+<li>UI Design -- Owen Leonard</li>
+<li>Zebra -- Fridolin Somers</li>
+<li>REST API -- Tomás Cohen Arazi</li>
+<li>ERM -- Matt Blenkinsop</li>
+<li>ILL -- Pedro Amorim</li>
+<li>SIP2 -- Matthias Meusburger</li>
+<li>CAS -- Matthias Meusburger</li>
+</ul></li>
+<li><p>Bug Wranglers:</p>
+
+<ul>
+<li>Aleisha Amohia</li>
+<li>Indranil Das Gupta</li>
+</ul></li>
+<li><p>Packaging Managers:</p>
+
+<ul>
+<li>Mason James</li>
+<li>Indranil Das Gupta</li>
+<li>Tomás Cohen Arazi</li>
+</ul></li>
+<li><p>Documentation Manager: Aude Charillon</p></li>
+<li><p>Documentation Team:</p>
+
+<ul>
+<li>Caroline Cyr La Rose</li>
+<li>Kelly McElligott</li>
+<li>Philip Orr</li>
+<li>Marie-Luce Laflamme</li>
+<li>Lucy Vaux-Harvey</li>
+</ul></li>
+<li><p>Translation Manager: Jonathan Druart</p></li>
+<li><p>Wiki curators: </p>
+
+<ul>
+<li>Thomas Dukleth</li>
+<li>Katrin Fischer</li>
+</ul></li>
+<li><p>Release Maintainers:</p>
+
+<ul>
+<li>23.11 -- Fridolin Somers</li>
+<li>23.05 -- Lucas Gass</li>
+<li>22.11 -- Frédéric Demians</li>
+<li>22.05 -- Danyon Sewell</li>
+</ul></li>
+<li><p>Release Maintainer assistants:</p>
+
+<ul>
+<li>22.05 -- Wainui Witika-Park</li>
+</ul></li>
+</ul>
+
+<h2 id="credits">Credits</h2>
+
+<p>We thank the following individuals who contributed patches to Koha 22.11.16</p>
+
+<div style="column-count: 2;">
+
+- Frédéric Demians (3)
+- Jonathan Druart (9)
+- Kyle M Hall (3)
+- Andreas Jonsson (2)
+- Julian Maurice (1)
+- Fridolin Somers (1)
+</div>
+
+<p>We thank the following libraries, companies, and other institutions who contributed
+patches to Koha 22.11.16</p>
+
+<div style="column-count: 2;">
+
+- BibLibre (2)
+- ByWater-Solutions (3)
+- Koha Community Developers (9)
+- Kreablo AB (2)
+- Tamil (3)
+</div>
+
+<p>We also especially thank the following individuals who tested patches
+for Koha</p>
+
+<div style="column-count: 2;">
+
+- Nick Clemens (1)
+- Frédéric Demians (15)
+- Jonathan Druart (4)
+- Katrin Fischer (4)
+- Lucas Gass (3)
+- Victor Grousset (1)
+- Kyle M Hall (2)
+- Andrew Fuerste Henry (1)
+- Owen Leonard (1)
+- David Nind (1)
+- Martin Renvoize (11)
+- Marcel de Rooy (3)
+- Fridolin Somers (12)
+</div>
+
+<p>We regret any omissions.  If a contributor has been inadvertently missed,
+please send a patch against these release notes to koha-devel@lists.koha-community.org.</p>
+
+<h2 id="revisioncontrolnotes">Revision control notes</h2>
+
+<p>The Koha project uses Git for version control.  The current development
+version of Koha can be retrieved by checking out the master branch of:</p>
+
+<ul>
+<li><a href="https://git.koha-community.org/koha-community/koha">Koha Git Repository</a></li>
+</ul>
+
+<p>The branch for this version of Koha and future bugfixes in this release
+line is 22.11.x-security.</p>
+
+<h2 id="bugsandfeaturerequests">Bugs and feature requests</h2>
+
+<p>Bug reports and feature requests can be filed at the Koha bug
+tracker at:</p>
+
+<ul>
+<li><a href="http://bugs.koha-community.org">Koha Bugzilla</a></li>
+</ul>
+
+<p>He rau ringa e oti ai.
+(Many hands finish the work)</p>
+
+<p>Autogenerated release notes updated last on 25 Mar 2024 10:56:35.</p>
diff --git a/misc/release_notes/release_notes_22_11_16.md b/misc/release_notes/release_notes_22_11_16.md
new file mode 100644
index 0000000000..669c88abeb
--- /dev/null
+++ b/misc/release_notes/release_notes_22_11_16.md
@@ -0,0 +1,266 @@
+# RELEASE NOTES FOR KOHA 22.11.16
+25 Mar 2024
+
+Koha is the first free and open source software library automation
+package (ILS). Development is sponsored by libraries of varying types
+and sizes, volunteers, and support companies from around the world. The
+website for the Koha project is:
+
+- [Koha Community](http://koha-community.org)
+
+Koha 22.11.16 can be downloaded from:
+
+- [Download](http://download.koha-community.org/koha-22.11.16.tar.gz)
+
+Installation instructions can be found at:
+
+- [Koha Wiki](http://wiki.koha-community.org/wiki/Installation_Documentation)
+- OR in the INSTALL files that come in the tarball
+
+Koha 22.11.16 is a bugfix/maintenance release with security fixes.
+
+It includes 3 bugfixes.
+
+**System requirements**
+
+You can learn about the system components (like OS and database) needed for running Koha on the [community wiki](https://wiki.koha-community.org/wiki/System_requirements_and_recommendations).
+
+
+## Bugfixes
+
+### Architecture, internals, and plumbing
+
+#### Other bugs fixed
+
+- [36176](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36176) [23.11 and below] We need tests to check for 'cud-' operations in stable branches (pre-24.05)
+
+### OPAC
+
+#### Other bugs fixed
+
+- [35942](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35942) OPAC user can enroll several times to the same club
+
+### Reports
+
+#### Critical bugs fixed
+
+- [31988](http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31988) manager.pl is only user for "Catalog by item type" report
+
+## Documentation
+
+The Koha manual is maintained in Sphinx. The home page for Koha
+documentation is
+
+- [Koha Documentation](http://koha-community.org/documentation/)
+As of the date of these release notes, the Koha manual is available in the following languages:
+
+- [Chinese (Traditional)](https://koha-community.org/manual/22.11//html/) (63%)
+- [English](https://koha-community.org/manual/22.11//html/) (100%)
+- [English (USA)](https://koha-community.org/manual/22.11/en/html/)
+- [French](https://koha-community.org/manual/22.11/fr/html/) (41%)
+- [German](https://koha-community.org/manual/22.11/de/html/) (40%)
+- [Hindi](https://koha-community.org/manual/22.11/hi/html/) (75%)
+
+The Git repository for the Koha manual can be found at
+
+- [Koha Git Repository](https://gitlab.com/koha-community/koha-manual)
+
+## Translations
+
+Complete or near-complete translations of the OPAC and staff
+interface are available in this release for the following languages:
+<div style="column-count: 2;">
+
+- Arabic (ar_ARAB) (75%)
+- Armenian (hy_ARMN) (100%)
+- Bulgarian (bg_CYRL) (100%)
+- Chinese (Traditional) (81%)
+- Czech (71%)
+- Dutch (88%)
+- English (100%)
+- English (New Zealand) (69%)
+- English (USA)
+- English (United Kingdom) (99%)
+- Finnish (96%)
+- French (99%)
+- French (Canada) (96%)
+- German (100%)
+- German (Switzerland) (56%)
+- Greek (57%)
+- Hindi (100%)
+- Italian (92%)
+- Norwegian Bokmål (69%)
+- Persian (fa_ARAB) (75%)
+- Polish (99%)
+- Portuguese (Brazil) (99%)
+- Portuguese (Portugal) (88%)
+- Russian (94%)
+- Slovak (67%)
+- Spanish (100%)
+- Swedish (88%)
+- Telugu (77%)
+- Turkish (88%)
+- Ukrainian (79%)
+- hyw_ARMN (generated) (hyw_ARMN) (70%)
+</div>
+
+Partial translations are available for various other languages.
+
+The Koha team welcomes additional translations; please see
+
+- [Koha Translation Info](http://wiki.koha-community.org/wiki/Translating_Koha)
+
+For information about translating Koha, and join the koha-translate 
+list to volunteer:
+
+- [Koha Translate List](http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-translate)
+
+The most up-to-date translations can be found at:
+
+- [Koha Translation](http://translate.koha-community.org/)
+
+## Release Team
+
+The release team for Koha 22.11.16 is
+
+
+- Release Manager: Katrin Fischer
+
+- Release Manager assistants:
+  - Tomás Cohen Arazi
+  - Martin Renvoize
+  - Jonathan Druart
+
+- QA Manager: Marcel de Rooy
+
+- QA Team:
+  - Marcel de Rooy
+  - Julian Maurice
+  - Lucas Gass
+  - Victor Grousset
+  - Kyle M Hall
+  - Nick Clemens
+  - Martin Renvoize
+  - Tomás Cohen Arazi
+  - Aleisha Amohia
+  - Emily Lamancusa
+  - David Cook
+  - Jonathan Druart
+  - Pedor Amorim
+
+- Topic Experts:
+  - UI Design -- Owen Leonard
+  - Zebra -- Fridolin Somers
+  - REST API -- Tomás Cohen Arazi
+  - ERM -- Matt Blenkinsop
+  - ILL -- Pedro Amorim
+  - SIP2 -- Matthias Meusburger
+  - CAS -- Matthias Meusburger
+
+- Bug Wranglers:
+  - Aleisha Amohia
+  - Indranil Das Gupta
+
+- Packaging Managers:
+  - Mason James
+  - Indranil Das Gupta
+  - Tomás Cohen Arazi
+
+- Documentation Manager: Aude Charillon
+
+- Documentation Team:
+  - Caroline Cyr La Rose
+  - Kelly McElligott
+  - Philip Orr
+  - Marie-Luce Laflamme
+  - Lucy Vaux-Harvey
+
+- Translation Manager: Jonathan Druart
+
+
+- Wiki curators: 
+  - Thomas Dukleth
+  - Katrin Fischer
+
+- Release Maintainers:
+  - 23.11 -- Fridolin Somers
+  - 23.05 -- Lucas Gass
+  - 22.11 -- Frédéric Demians
+  - 22.05 -- Danyon Sewell
+
+- Release Maintainer assistants:
+  - 22.05 -- Wainui Witika-Park
+
+## Credits
+
+
+
+We thank the following individuals who contributed patches to Koha 22.11.16
+<div style="column-count: 2;">
+
+- Frédéric Demians (3)
+- Jonathan Druart (9)
+- Kyle M Hall (3)
+- Andreas Jonsson (2)
+- Julian Maurice (1)
+- Fridolin Somers (1)
+</div>
+
+We thank the following libraries, companies, and other institutions who contributed
+patches to Koha 22.11.16
+<div style="column-count: 2;">
+
+- BibLibre (2)
+- ByWater-Solutions (3)
+- Koha Community Developers (9)
+- Kreablo AB (2)
+- Tamil (3)
+</div>
+
+We also especially thank the following individuals who tested patches
+for Koha
+<div style="column-count: 2;">
+
+- Nick Clemens (1)
+- Frédéric Demians (15)
+- Jonathan Druart (4)
+- Katrin Fischer (4)
+- Lucas Gass (3)
+- Victor Grousset (1)
+- Kyle M Hall (2)
+- Andrew Fuerste Henry (1)
+- Owen Leonard (1)
+- David Nind (1)
+- Martin Renvoize (11)
+- Marcel de Rooy (3)
+- Fridolin Somers (12)
+</div>
+
+
+
+
+
+We regret any omissions.  If a contributor has been inadvertently missed,
+please send a patch against these release notes to koha-devel@lists.koha-community.org.
+
+## Revision control notes
+
+The Koha project uses Git for version control.  The current development
+version of Koha can be retrieved by checking out the master branch of:
+
+- [Koha Git Repository](https://git.koha-community.org/koha-community/koha)
+
+The branch for this version of Koha and future bugfixes in this release
+line is 22.11.x-security.
+
+## Bugs and feature requests
+
+Bug reports and feature requests can be filed at the Koha bug
+tracker at:
+
+- [Koha Bugzilla](http://bugs.koha-community.org)
+
+He rau ringa e oti ai.
+(Many hands finish the work)
+
+Autogenerated release notes updated last on 25 Mar 2024 10:56:35.

From 452f4d5acf8bf7609b3b9f3e99c807b39e32929b Mon Sep 17 00:00:00 2001
From: Lucas Gass <lucas@bywatersolutions.com>
Date: Tue, 26 Mar 2024 20:32:15 +0000
Subject: [PATCH 19/20] Bug 36176: Exclude misc/releases_notes/*
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

(cherry picked from commit 93a68d2068264bbaad070f178182de638147c0a6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
---
 xt/find-cud.t | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xt/find-cud.t b/xt/find-cud.t
index 0f0805773a..67721bf1e8 100755
--- a/xt/find-cud.t
+++ b/xt/find-cud.t
@@ -19,7 +19,7 @@ use Modern::Perl;
 use Test::More tests => 1;
 use Data::Dumper;
 
-my @files = `git grep 'cud-' ':(exclude)xt/find-cud.t'`;
+my @files = `git grep 'cud-' ':(exclude)xt/find-cud.t' ':(exclude)misc/release_notes/*'`;
 chomp for @files;
 
 is( @files, 0, "This branch is not supposed to have 'cud-', see bug 34478." )

From 92030f1aba2929dd384c3bede678689535988cac Mon Sep 17 00:00:00 2001
From: Fridolin Somers <fridolin.somers@biblibre.com>
Date: Wed, 27 Mar 2024 10:20:03 +0100
Subject: [PATCH 20/20] Bug 24879: (follow-up) Fix test suite
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.

This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth

Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t

(cherry picked from commit f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

suite
---
 t/db_dependent/FrameworkPlugin.t             | 1 +
 t/db_dependent/Koha/UI/Form/Builder/Biblio.t | 5 +++++
 t/db_dependent/Koha/UI/Form/Builder/Item.t   | 5 +++++
 t/db_dependent/Serials.t                     | 5 +++++
 4 files changed, 16 insertions(+)

diff --git a/t/db_dependent/FrameworkPlugin.t b/t/db_dependent/FrameworkPlugin.t
index 41baf49153..c3031ac22f 100755
--- a/t/db_dependent/FrameworkPlugin.t
+++ b/t/db_dependent/FrameworkPlugin.t
@@ -144,6 +144,7 @@ sub test05 {
     my $mOutput = Test::MockModule->new('C4::Output');
     $mContext->mock( 'userenv', \&mock_userenv );
     $mAuth->mock( 'checkauth', sub { return ( 1, undef, 1, all_perms() ); } );
+    $mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
     $mOutput->mock('output_html_with_http_headers',  sub { ++$launched; } );
 
     my $cgi=CGI->new;
diff --git a/t/db_dependent/Koha/UI/Form/Builder/Biblio.t b/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
index cdf93c4880..ed5d582ef0 100755
--- a/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
+++ b/t/db_dependent/Koha/UI/Form/Builder/Biblio.t
@@ -18,6 +18,7 @@
 use Modern::Perl;
 
 use Test::More tests => 7;
+use Test::MockModule;
 
 use C4::ClassSource;
 
@@ -26,6 +27,10 @@ use Koha::DateUtils qw( dt_from_string );
 use Koha::ItemTypes;
 use Koha::Libraries;
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 
diff --git a/t/db_dependent/Koha/UI/Form/Builder/Item.t b/t/db_dependent/Koha/UI/Form/Builder/Item.t
index dedbb31775..de82c7741c 100755
--- a/t/db_dependent/Koha/UI/Form/Builder/Item.t
+++ b/t/db_dependent/Koha/UI/Form/Builder/Item.t
@@ -17,6 +17,7 @@
 
 use Modern::Perl;
 use Test::More tests => 9;
+use Test::MockModule;
 use Data::Dumper qw( Dumper );
 use utf8;
 
@@ -28,6 +29,10 @@ use Koha::UI::Form::Builder::Item;
 use t::lib::TestBuilder;
 use t::lib::Mocks;
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 
diff --git a/t/db_dependent/Serials.t b/t/db_dependent/Serials.t
index eb432dc914..37c16a5c96 100755
--- a/t/db_dependent/Serials.t
+++ b/t/db_dependent/Serials.t
@@ -16,12 +16,17 @@ use Koha::DateUtils qw( dt_from_string output_pref );
 use Koha::Acquisition::Booksellers;
 use t::lib::Mocks;
 use t::lib::TestBuilder;
+use Test::MockModule;
 use Test::More tests => 52;
 
 BEGIN {
     use_ok('C4::Serials', qw( updateClaim NewSubscription GetSubscription GetSubscriptionHistoryFromSubscriptionId SearchSubscriptions ModSubscription GetExpirationDate GetSerials GetSerialInformation NewIssue AddItem2Serial DelSubscription GetFullSubscription PrepareSerialsData GetSubscriptionsFromBiblionumber ModSubscriptionHistory GetSerials2 GetLatestSerials GetNextSeq GetSeq CountSubscriptionFromBiblionumber ModSerialStatus findSerialsByStatus HasSubscriptionStrictlyExpired HasSubscriptionExpired GetLateOrMissingIssues check_routing addroutingmember GetNextDate ));
 }
 
+# Auth required for cataloguing plugins
+my $mAuth = Test::MockModule->new('C4::Auth');
+$mAuth->mock( 'check_cookie_auth', sub { return ('ok') } );
+
 my $schema = Koha::Database->new->schema;
 $schema->storage->txn_begin;
 my $dbh = C4::Context->dbh;