Bug 29541: Restrict access to patron's image to borrowers => * and circulate => *

The patron images is displayed on the 'circulation' and 'members'
modules.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit cd08058b196da18728cd78fd234bbb87194dc748)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29540: Raise flagsrequired in modrequest

Test plan:
Try modrequest with a user having only 'catalogue' perms and the following URLs:
[1] /cgi-bin/koha/reserve/modrequest.pl?reserve_id=XX&CancelBorrowerNumber=XX&CancelItemnumber=XX&biblionumber=XX
    Fill the XXs with correct identifiers for some item level hold.
[2] /cgi-bin/koha/reserve/modrequest_suspendall.pl?suspend=1&suspend_until=2021-12-01&borrowernumber=XX
    Fill the XX with borrowernumber for borrower that has pending holds.
You should see: Error: You do not have permission to access this page.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[AMENDED] More consensus for using reserveforothers than circulate_remaining.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 15285ae209f5a98ab2e77c730b0b70ff0b29c283)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 906228266b05fa660476d1f5b9320ac79241db82)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28735: Self-checkout users can access opac-user.pl for sco user when not using AutoSelfCheckID

This patch makes the sandboxing of the selfcheckout more robust by
adding a "sco_user" session variable which is turned on when
logging into the self-checkout (either by AutoSelfCheckAllowed or manually).

If a user with this session variable turned on tries to access
other parts of the system (like the rest of the OPAC), it will
"kick out", so that the browser user will lose the authenticated session.

Test plan:
1) Apply the patch
2) koha-plack --restart kohadev
3) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
4) Note that you are logged into the self-checkout
     So you see the login screen specific to the self-checkout.
     To log with the actual patron. It's a nested auth.
5) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
6) Note that you are not logged into the OPAC
7) Log into the staff interface and disable the
system preference AutoSelfCheckAllowed
8) Log out of the staff interface (this step is very important)
9) Go to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
10) Note that you are prompted to log into Koha
11) Login using the "koha" user (when using koha-testing-docker)
12) Note that you are logged into the self-checkout
13) Go to http://localhost:8080/cgi-bin/koha/opac-main.pl
14) Note that you are not logged into the OPAC
      Without the patch you would still be logged as "koha"
15) Go back to http://localhost:8080/cgi-bin/koha/sco/sco-main.pl
16) Note that you will need to log in again as you've lost your
session cookie
      Without the patch you will still be logged in the self-checkout
Voila!

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: unimarc_field_4XX.tt

To test, edit a MARC framework to link a subfield to the
unimarc_field_4XX.tt. The process of triggering the plugin and selecting
a search result from the plugin popup should work correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit dbd13593538b8dbba9dfe9ff200b1d472ec0595b)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit f424ae7dd89a1dfe1b2ab5a054a4388fabe03c37)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: subscription-add.tt

Test the process of adding a subscription, entering both a valid vendor
ID and a non-existent vendor ID. The non-existent vendor ID should
trigger a validation alert.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 583aad8e48790443a14ac4b7dfe85fa1bdeb91a2)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit c971585ab03bf0686d68ad2c73f02006684bc3ed)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: guarantor_search.tt

To test, edit a patron record and go through the process of adding a
guarantor. In the guarantor search results table the address should be
displayed correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 11d0a05eb9f1a13c07f3c56d8e40dbbd1bc43938)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 82e76c4aeefa11a43cdb53ba566bb1de912e0f67)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: catalogue/results.tt

To test, perform a search in the catalogue and verify that search term
highlighting works correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0de86fd323545796d57d2e289c10a33970050716)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 2a56d56f434c777b017c300cb906964ae15f52f4)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: authorities/blinddetail-biblio-search.tt

Test the process of searching for and selecting an authority record for
use in the basic MARC editor.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 57a2a82c504815d5d8e95c20be43611d96abcf13)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 2631c0bcb7a90beaf62ce1401769c4c64f78c0b5)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: authorities/authorities.tt

Check that mandatory tags and subfields are correctly required when
editing an authority record.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d9ae296b23d6897070c6bb788387ab39e7da8f09)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 3cb5340c89f5c609f9154e2f3eb14ba0e195e0f2)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 26102: Prevent XSS when To.json is used: admin/preferences.tt

Test that preference search term highlighting works correctly.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5df95693f93e1ef95f74eb4a118319e84ed7703e)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit b4b87a3091a38985d13f2a6d2eb243589ec8b7dd)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29543: [19.11] Enforce authentication for self-checkout

The self-checkout feature is assuming a patron is logged in if patronid
is passed. It also assumes that "We're in a controlled environment; we
trust the user", which is terribly wrong!

This patch is suggesting to generate a JSON Web Token (JWT) to store in
a cookie and only allow action (renew, check in/out) is the token is
valid. The token is only generated once the user has been authenticated
And is removed when the user finish the session/logout.

Test plan:
You must know exactly how the self-checkout feature works to test this patch.
The 4 following sysprefs must be tested:
 SelfCheckoutByLogin, AutoSelfCheckAllowed, AutoSelfCheckID, AutoSelfCheckPass
Confirm that you can renew, checkin for the items you own, and checkout new items.
Confirm that you are not allowed to access other account's info.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: Remove borrower variable

It's not needed, we have $patron

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: Remove inputfocus variable

It's not used in template

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: Add JWT token handling

Mojo::JWT is installed already, it's not a new dependency.
We need a way to send the patron a token when it's correctly logged in,
and not assumed it's logged in only if patronid is passed

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: Prevent user to checkin or renew items they don't own

Checkin or renew must be restricted to the items they own.

Test plan:
Create an item with barcode bc_1
Check it in to user A
Login to SCO with user B
Get the token using the browser dev tool, from the cookie
Hit (replace $JWT)
    /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=renew&barcode=bc_1
    /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=returnbook&barcode=bc_1

You should see an error message

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: (follow-up) Add a warning to SelfCheckoutByLogin

This updates the language to warn users of risk if using cardnumber for login and auto-self-check is enabled

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Bug 29543: Add Mojo::JWT dependency

Bug 29543: Set autocomplete off for SCO login fields

Cardnumber already had it set, adding for username and password

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Update release notes for 19.11.24 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 19.11.24 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Fix translations for Koha 19.11.24

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Translation updates for Koha 19.11.24

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28904: Fix typo and display

Fix typo in template: Newletter => Newsletter
Fix latest newsletter editor definition.. it's a has not an array.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ded631f39e82352a713a252af714b4e2907c4c2f)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f0695c74201fa4d2a8ddd22b7eddf91d1a72d6d8)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 95257f7f5c5713d34f15152fe3a25f7b4de45e96)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 95257f7f5c5713d34f15152fe3a25f7b4de45e96)

Bug 28904: Update team list to include newsletter editors

It seems we stopped recording the newsletter editor as part of the team
for a while :(.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6c85c1eac7b77665269e2baa33643854e5108853)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ceeec5155dc77113d2113d877947202c562344e4)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 19d68212b8c24da17972c9cf6203f9ab525771ee)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 19d68212b8c24da17972c9cf6203f9ab525771ee)

Bug 28904: Add newsletter editor to about page display

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 77448b618d1865a21815d434f071a223d706f21b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 86282f26d1ecbaeec00d2a97f4578914dede4bdd)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 9d9a981fafff59fe3566aaa1313d568ff9353a75)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 9d9a981fafff59fe3566aaa1313d568ff9353a75)

Bug 29300: Add 22.05 release team to teams.yaml

Add the 22.05 release team.

Test plan
1/ Check against
   https://wiki.koha-community.org/wiki/Release_Teams

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit cc8a49d2e3519efedb178412669a998ffe629225)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4654df6735c596fe78ff448bb41ef768ff9ac17)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit ffeb0b619172922bd94ab472b2b6a4b0eca65bd1)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit ffeb0b619172922bd94ab472b2b6a4b0eca65bd1)

Bug 29524: (bug 28935 follow-up) Restore modification of some patron's attributes

On
  commit 5f37d8d2f496ce3c9fd6dfd5a2efa7a9fe435af3
  Bug 28935: No filtering on patron's data on member entry pages
we restricted the list of the columns from the borrowers table that can
be modified from the patron edit view.
We were too restrictive, the following 3 attributes can be edited from
this form: privacy_guarantor_fines, privacy_guarantor_checkouts,
checkprevcheckout and lang

Test plan:
Turn on the following prefs:
- AllowStaffToSetFinesVisibilityForGuarantor
- AllowStaffToSetCheckoutsVisibilityForGuarantor
- CheckPrevCheckout (set to 'unless overridden *')
- TranslateNotices
Edit a patron and see the 4 different options are now displayed.
Change their value, save, edit again
Confirm that the values have been saved

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0ca1419b26be84f7670f60446e621cfd878f6580)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 04df6726ab9b9a14d7d0f2353c3b8cdc1d28b63e)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 04df6726ab9b9a14d7d0f2353c3b8cdc1d28b63e)

Bug 28772: DBRev 19.11.23.001

Note that this added back the following patch: "Bug 28772: Do not hash secrets twice"

https://bugs.koha-community.org/show_bug.cgi?id=29132
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Update release notes for 19.11.23 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 19.11.23 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Translation updates for Koha 19.11.23

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 29032: Pre-load ILL backends to speed up response

Bug 22440 will rewrite the route and make it even more efficient by
prefetching the related data instead of performing several queries in
loops.

In the meantime, we can make this controller perform better with a
simple intervention: load backends once, and use the
$request->_backend() setter to pre-set it before using the objects.

To test:
1. Perform any usual ILL requests listing, try having several
=> FAIL: Notice it takes a weird amount of time to load
2. Apply this patch
3. Restart all
4. Repeat 1
=> SUCCESS: It feels fast enough!
5. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 7b1dc9d5f977aeb606cd2f766f3c3b8043d7a3f6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit fa84d0704f85381cd7026d1c51cb832ade4ca870)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit be277cd4c6c348fe963f2f0debd2ca06a3dd3129)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit be277cd4c6c348fe963f2f0debd2ca06a3dd3129)

Bug 28676: Cache and retrieve match_count when searching a cached heading

We use match_count to determine if a new authority record should be created, however,
we were not adding this count to the cache, so if a record returned too many matches on first
lookup, we would create a new record on the second lookup

To test:
1 - Set Linker Module to 'Default'
2 - Enable  AutoCreateAuthorities  and  BiblioAddsAuthorities and  CatalogModuleRelink and LinkerRelink
3 - Add two copies of a single authority via Z39
4 - Add two headings for that authority to a bib record (e.g. a 610 and 710)
5 - Save the record and note a new authority is generated
6 - Repeat and see another is generated
7 - Apply patch
8 - Restart all the things
9 - Save the record again, no new authority created

Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit c46cefb7c505e31bf3c0683f1f5ce3e08a1cd6f4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9d5150e4cd82b05bf0e7a62a5964d678fc363086)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 848ac85dcc5b35f3d71952f58efa33d3761047f8)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 848ac85dcc5b35f3d71952f58efa33d3761047f8)

Bug 28676: Unit test

Signed-off-by: Phil Ringnalda <phil@chetcolibrary.org>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@iki.fi>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 869f1c758cb78454c48e180f1533893b5dcb5d11)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 97dcf5ded6fa6602ee645f3f6431b52b843bc8b9)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit e30c1a5c08900a148d8799f3ec4c02126e865ffa)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit e30c1a5c08900a148d8799f3ec4c02126e865ffa)

Bug 28960: Explicitly call get_column

This patch adds get_column to ensure we are returning a string value of
a field rather than accidentally triggering a relationship accessor.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit c3ef810a546ac35557484e12d7c2ff10c471b62d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 9dbf469605a3e97e66cb079961da65f7240e0cef)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit be4fbeff29ebe35a1dddd72ae94736e9c73388e8)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit be4fbeff29ebe35a1dddd72ae94736e9c73388e8)

Update release notes for 19.11.22 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 19.11.22 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Merge remote-tracking branch 'translate/19.11.22-translate-20210922' into 19.11.22security

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Translation updates for Koha 19.11.22

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Merge branch 'rmaint_19.11.x' into 19.11.22security

Bug 28772: [19.11.x] Fix Koha/Object.t

Koha::ApiKeys is no longer the simple object we need to test
Koha::Object->store, let use Koha::Library::Groups

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Revert "Bug 28772: Fix Koha/Object.t"

This reverts commit 711bde5f5729c9adaa0e61bc6776835511c3441d.

Bug 28772: Fix Koha/Object.t

Koha::ApiKeys is no longer the simple object we need to test
Koha::Object->store, let use Koha::Library::Groups
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 5c22a4ca6109d3c70ed8775168f9d19fd234b284)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5c22a4ca6109d3c70ed8775168f9d19fd234b284)

Bug 28772: Fix auth_authenticate_api_request.t

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 17b2477d65cc2c0f0716556de65fd0e95ae6a590)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 17b2477d65cc2c0f0716556de65fd0e95ae6a590)

Revert "Bug 28772: Update existing keys [STABLE]"

This reverts commit e5c4127e8e42e71a25f20cf228eda821505a95fd.

Revert "Bug 28772: Do not hash secrets twice"

This reverts commit 9e087c7c8efefb84fedc650ef28959540a5c64dc.

Revert "Bug 28604: Prevent double encoding of MARC::Record::MiJ->to_mij output"

This reverts commit 5c89018abd5b209ae48ec853bad599f0d670c328.

Revert "Bug 28604: Regression tests"

This reverts commit c1a76b0d80b2d16bfb9160003cefe9f82557e832.

Bug 28772: Make validate_secret return 1|0

Not an empty string

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: (QA follow-up) Apply change to other dbrev too [STABLE]

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Update existing keys [STABLE]

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: (QA follow-up) Fix wrong message

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Do not hash secrets twice

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Make secret validation use the new method

This patch makes the Koha::OAuth library use the new validation method

To test:
1. In master, enable RESTOAuth2ClientCredentials and have your
   superlibrarian patron a client_id/secret pair generated
2. Use Postman to gain an access token with the client_id/secret pair
=> SUCCESS: This works in Koha
3. Use the access token to GET /api/v1/patrons
=> SUCCESS: It works
4. Apply this patchset up to the regression tests
5. Run:
   $ updatedatabase
   $ koha-plack --restart kohadev
=> SUCCESS: All good
6. Repeat 2
=> FAIL: You get an error trying to acquire an access token. Boo
7. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!
8. Apply this patch
9. Run:
   $ koha-plack --restart kohadev
   $ kshell
  k$ prove t/db_dependent/api/v1/oauth.t
=> SUCCESS: Tests pass!
10. Repeat 2
=> SUCCESS: Your original client_id/secret pair works!
11. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28722: Regression tests

To test:
1. Apply this patch
2. Run:
   $ kshell
  k$ prove tt/db_dependent/api/v1/oauth.t
=> FAIL: Tests fail!

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
https://bugs.koha-community.org/show_bug.cgi?id=28772

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Display API secret once

This patch makes the apikeys.pl display the generated API secret once,
when generated. After that, it won't be displayed by the UI.

To test:
1. Generate a new API key
=> FAIL: The secret is displayed in the API keys table
2. Visit some other page, and go back to the API keys page
=> FAIL: The API key secret is there
3. Apply this patch
4. Go to More > Manage API keys
=> SUCCESS: It no longer displays the secret
5. Generate a new API key
=> SUCCESS: The API key details (including the secret) are displayed.
=> SUCCESS: A message telling to copy the secret because it won't be
            displayed again is shown.
6. Repeat 4
=> SUCCESS: The secret is no longer displayed
7. Sign off :-D

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Add a warning about hash_password usage in updatedatabase.pl

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Update existing keys

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28772: Make Koha::ApiKey->store encrypt the secret

This patch refactors the Koha::ApiKey class so:
- It encrypts the generated secret
- Allows accessing the plain text secret only immediately after the key
  creation (this implies that it won't be accessible if the key is
  fetched from the DB).
- It implements an allow list for attributes, that are not read only.
  Changing any other of them will make ->store throw an exception.
- A method for validating plain text secrets against the encrypted one
  is added.
- A method for accessing the plain text secret is added. Returns undef
  if the object is not 'fresh'.

To test:
1. Apply this patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/Koha/ApiKey.t
=> SUCCESS: Tests pass! Expected behavior is confirmed
3. Sign off :-D

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28759: limit accessibility for "Manage API keys"

This patch limits the accessibility for "Manage API keys" section only
to superlibrarians and the owner of that said API key account.

The way it does it is by checking if user is superlibrarian or if
logged-in user is the same as a patron id/borrower number is the same
as logged-in user number both in template and apikeys.pl and making sure
the link is inaccessible or redirects to the 403 page if user tries to
go there directly.

To reproduce:
1) create/pick existing patron, set Staff access, allows viewing
of catalogue in staff interface (catalogue)" and "Add, modify and
iew patron information (borrowers)" permissions on;
2) enable "RESTOAuth2ClientCredentials" in sysprefs;
3) login with that user into staff interface;
4) check any other patron, go to the "More"->"Manage API keys" and
check that you can see, add delete their API keys;
5) apply patch;
6) with that same user try to access "Manage API keys" page again.
Ensure that you can't access that page of other patrons but can
access your own page and manage your own API keys.
7) log in with superlibrarian now and ensure that you can access every
"Manage API keys" page of every patron and apply changes there.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28941: Deal with OPACSuggestionUnwantedFields

Remove fields from OPACSuggestionUnwantedFields before creating the
suggestion

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
JD amended patch: remove useless sort

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28941: Filter suggestion inputs at the OPAC

The following sequence is bad:
46 my $suggestion      = $input->Vars;

181         &NewSuggestion($suggestion);

All columns can be set when we insert the suggestion into the DB
We definitely want to avoid the following fields to be set by the final
user: acceptedby, accepteddate, STATUS, etc...

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28935: (QA follow-up) Use BorrowerUnwantedField on staff client

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28935: No filtering on patron's data on member entry pages

Security patch. Follow-up for 28929.
Including correction for gonenoaddress and two others.
Includes unwanted fields too now.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28947: Prevent OPAC user to create new users

This patch prevents an existing user from exploiting the patron edit form in order to
force create new patrons

To test:
Try all combinations of PatronSelfRegistration and PatronSelfRegistrationVerifyByEmail
with and without this patch.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28929: Add selenium tests

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 28929: (follow-up) Add exec flag to tests

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28929: Prevent flags to be sent during patron's edition

* selfreg and selfmod for OPAC
* patron's edition on staff

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Tested OPAC and staff side. Prevents mangling flags column.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28802: Fix Asset.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit bd572eccc4c5196392a8e4714706306c0d3259aa)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a4ed8dcd16b4ebbe1123f82866cfe1416fcdf556)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 9d670254528436002977911578dc7379346ca737)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28802: Untranslatable strings in browser.js

File koha-tmpl/intranet-tmpl/js/browser.js is not parsed by translation
process, which uses koha-tmpl/intranet-tmpl/prog/js/**/*.js
We must move it to prog/js.

Test plan :
1) Perform a search on staff interface
2) Click on a result
3) Check you see records browser

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 8eab53c8baa06cc429267c7d14f7a3919242a5b1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6cd8819016ebb913ee5ed59f0b42dcb68eafc72c)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit b6026fdf59678c8fbec144cc567b5c1748c45d94)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28632: Prevent api/v1/patrons.t to fail on dates comparison

 #   Failed test 'Returned patron from update matches expected'
 #   at t/db_dependent/api/v1/patrons.t line 537.
 #     Structures begin differing at:
 #          $got->{updated_on} = '2021-07-27T13:33:53+00:00'
 #     $expected->{updated_on} = '2021-07-27T13:33:52+00:00'
 # Looks like you failed 1 test of 42.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5d922670184c66a48de07c0e9683824364b8e0be)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 832f488744339e3c103ab5d0d6dda24c89472ea9)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit f7e574b98d1e2bcfc6ee05c1380b15540bf981e8)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f7e574b98d1e2bcfc6ee05c1380b15540bf981e8)

Bug 28644: [19.11.x] Fix calling borrowernumber on undefined value

If the hold is not found (e.g. already cancelled), we should
return earlier without crashing:
    Can't call method "borrowernumber" on an undefined value at /usr/share/koha/C4/Reserves.pm line 521
    (Note: line number from 19.11)

Test plan:
Run t/db_dependent/Reserves.t
Add a hold, go to user menu with holds in OPAC.
At the same time, cancel this hold from staff.
Now click the Cancel in OPAC.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Revert "Merge branch '19.11.xbug28644' into rmaint_19.11.x"

This reverts commit 2d8b74f96d161ed89d6b29baab174282574eefc3, reversing
changes made to c1e2202dd3acce2441dd221a7a9e2cb448077de0.

Merge branch '19.11.xbug28644' into rmaint_19.11.x

Bug 28644: [19.11.x] Fix calling borrowernumber on undefined value

If the hold is not found (e.g. already cancelled), we should
return earlier without crashing:
    Can't call method "borrowernumber" on an undefined value at /usr/share/koha/C4/Reserves.pm line 521
    (Note: line number from 19.11)

Test plan:
Run t/db_dependent/Reserves.t
Add a hold, go to user menu with holds in OPAC.
At the same time, cancel this hold from staff.
Now click the Cancel in OPAC.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28462: Remove line breaks in TT tags

Same as previous patch for other files.
Looks like the problem exists only with IF.

== test plan ==
1. See the problematic strings in a given language
     git grep "\bIF\b" misc/translator/po | grep -v '#' | grep '\bzh-Hant-TW'
2. update the language
   misc/translator/translate update zh-Hant-TW
3. Recheck the problematic strings, they aren't here anymore
4. Check the diff: git diff
   and search the if's with «/-.* IF » to see how the deleted strings
   look like and that it makes sense.

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 1ed9d5529f4f625216f3bcbfa5e8d43e56b3e0e7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a67953b635f3511253aee1ceab9d327b9963ab9e)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 5b93c16365b6c7ea9dbea7c700e3416a841555a8)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28462: Remove TT tag on several lines - opac-advsearch.tt

It fixes the translation in case the operators have been translated

Test plan:
1. misc/translator/translate update pt-BR
2. In pt-BR-opac-bootstrap.po , find OpacAdvSearchMoreOptions
3. sabotage the translation part, like replacing IF with something else
4. misc/translator/translate install pt-BR
5. enable and use pt-BR and hit opac-advsearch.pl
6. Notice the error
   Template process failed: file error - parse error - /kohadevbox/koha/koha-tmpl/opac-tmpl/bootstrap/pt-BR/modules/opac-advsearch.tt line 409: unexpected token (e)                                                    [% IF (OpacAdvSearchMoreOptions and OpacAdvSearchMoreOptions.size> 0 e extended_options) ou (OpacAdvSearchOptions and OpacAdvSearchOptions.size> 0 e n expandido_options) %] at /kohadevbox/koha/C4/Templates.pm
7. Apply the patch and redo update and install of the language
8. Note that it's now working

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f60efe6e8e647651512a6a4275e7a1ce8a6f5f37)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e2328c015f31de22eceb06ab122be251d7cd8319)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 2f982f239eccbf36832fd9b0b91e656d59d7a203)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28604: Prevent double encoding of MARC::Record::MiJ->to_mij output

This patch fixes a double-encoding issue with MiJ output.

Mojolicious' *text* renderer encodes the passed information according to
the request context. [1]

MARC::Record::MiJ->to_mij, conveniently encodes the string before
output [2].

This causes double encoding.

So the solution to this situation, is to use the *data* renderer, which
doesn't perform any encoding [3].

To test:
1. Apply the regression tests patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/biblios.t
=> FAIL: Tests contain diacritics and fail!
3. Have a record with diacritics
4. Try the API routes for fetching a biblio:
   $ curl --location --request GET 'http://localhost:8080/api/v1/public/biblios/144' \
          --header 'Accept: application/marc-in-json'
   (replace the record id with the one you've chosen)
=> FAIL: Boo, double encoding
5. Bonus point: you can try it on the non-public route, but you need
   more configuration boilerplate (basic auth, permissions). If you look
   at the fix, you will understand the tests cover it and no need to
   complicate yourself.
6. Apply this patch
7. Repeat 2
=> SUCCESS: Tests pass!
8. Repeat 4 (and maybe 5)
=> SUCCESS: No double encoding! Yay!
9. Sign off :-D

[1] https://metacpan.org/release/MRAMBERG/Convos-0.5/view/local/lib/perl5/Mojolicious/Guides/Rendering.pod#Rendering-text
[2] https://metacpan.org/dist/MARC-File-MiJ/source/lib/MARC/Record/MiJ.pm#L111
[3] https://metacpan.org/release/MRAMBERG/Convos-0.5/view/local/lib/perl5/Mojolicious/Guides/Rendering.pod#Rendering-data

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit cf44929d1ce70daff550a1e803f6bfe396332dbf)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit cec90fb3c2f0ba3e867b68c2c202dc7014e68056)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit f146bf38b12e3412f7aae01f66f7e6b097866dfd)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f146bf38b12e3412f7aae01f66f7e6b097866dfd)

Bug 28604: Regression tests

This patch introduces regression tests for the encoding issue with MiJ
output.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit fc1e15029f617ac18cba8508b99159358c132724)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 083f1133d5c77444eb056c55de0acbb7204beebe)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 541f85701fcbca88473903985242db87c1780a4f)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 541f85701fcbca88473903985242db87c1780a4f)

Bug 28200: [Alternate] Remove unit test using abbreviated format

This patch removes the unit test that uses the abbreviated format,
since it's not supported in newer versions of Net::Netmask without
a workaround.

Test plan:
0. Set up Koha dev environment on Debian 11
1. perl t/Koha/Middleware/RealIP.t
2. Tests should pass

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Alvaro Cornejo <cornejo.alvaro@gmail.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Update release notes for 19.11.21 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 19.11.21 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Translation updates for Koha 19.11.21

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28784: (QA follow-up) Remove num_paragraph cookie from include

Still found in opac-bottom.inc.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 2e60bbdb9bceb8a5b40eaebce4b542910f915e17)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 2e60bbdb9bceb8a5b40eaebce4b542910f915e17)

Bug 28784: [20.05.x] (follow-up) Always make three search boxes

The previous patch removed search_boxes_loop - that's okay, it was always
getting the same three values.

If we don't do something in the template though, we get no boxes

Ultimately this should be a include, and not a hardcoded loop, but keeping changes
small for backporting

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit d2ac53c7ee4edc02d4ea8442cf1af048ad935ec3)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit d2ac53c7ee4edc02d4ea8442cf1af048ad935ec3)

Bug 28784: Remove code related to num_paragraph cookie

It could lead to server freeze if set to a big value (we are pushing
into an array and so RAM is being fulfilled, and CPU is looping).

I don't understand the point of this cookie.

        var numPar = $("#booleansearch fieldset p").size();
        if (numPar > [% search_boxes_count | html %]){
            jQuery.cookie("num_paragraph", numPar,{ path: '/'});
        }else{
            jQuery.removeCookie("num_paragraph", { path: '/'});
        }

But "#booleansearch fieldset p" does not exist, it's not 'p' but 'div'
elements.

I've removed the code related to num_paragraph and the "Return to the
last advanced search" feature still works as before.

From this comment:
    # determine what to display next to the search boxes (ie, boolean option
    # shouldn't appear on the first one, scan indexes should, adding a new
    # box should only appear on the last, etc.

The only bit that is not working as described is "adding a new box
should only appear on the last", but it has been working this way for
a long time already I think, and I don't see it as a bug.

Test plan:
Read the code, check that the above is correct.
Search for regression in this "return to last adv search" feature added
by bug 13307.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit d951d300f92a595adf4e8f40f6b25b0dffa4b721)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit d951d300f92a595adf4e8f40f6b25b0dffa4b721)

Bug 28518: Display missing inputs for "Return to the last advanced search"

When more than 3 search terms are passed on the advanced search form,
the "Return to the last advanced search" feature does not display them.

Test plan:
Perform an adv search at the OPAC, enter more than 3 terms, launch the
search, click the "Return to the last advanced search" link and confirm
that all the entries are there.

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 75d67d46ce3df59c1460df44318439c40c14451b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a0bd7d7c5a7b3cb6eddce02facdc0798bd9ce205)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit a0bd7d7c5a7b3cb6eddce02facdc0798bd9ce205)

Bug 28675: (bug 27942 follow-up) Fix QOTD - add new quote

Bug 27942 has been written for master on top of bug 27251, and the code
differ a lot from what we have in <= 20.11.

This patch is quite ugly but it works, and is certainly the less painful
solution to fix stable branches.
Feel free to provide an alternative patch.

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
(cherry picked from commit 7f9fbeb579c516f97d79faca5150a772aa3d9f1a)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 5116982636aa63a2ec095ccb975e2a6119e8137a)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 5116982636aa63a2ec095ccb975e2a6119e8137a)

Update release notes for 19.11.20

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Increment version for 19.11.20 release

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Translation updates for Koha 19.11.20

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28524: Escape 'rank' in cat_issues_top.pl

It's a MySQL 8 keyword

Test plan:
Turn off strict_sql_modes (there are other problems in this script)
Hit Home Reports > Most-circulated items
Submit the form

Without this patch you got:
  You have an error in your SQL syntax; check the manual that
  corresponds to your MySQL server version for the right syntax to use
  near 'RANK, biblio.biblionumber AS ID, itemcallnumber as CALLNUM,
  ccode as CCODE, loca' at line 1

With this patch applied you see the report result view

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit ea214856d112e262f2ab7df223b6ab9bf673ee67)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit f27cfd734b78c947e60e5603f19055a9204b0ba3)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 8d7f065c03ac9085185fabf582dd74cc35ce9ce8)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 8d7f065c03ac9085185fabf582dd74cc35ce9ce8)

Bug 28523: Escape 'rank' in bor_issues_top.pl

It's a MySQL 8 keyword

Test plan:
Turn off strict_sql_modes (there are other problems in this script)
Hit Home Reports > Patrons with the most checkouts
Submit the form

Without this patch you got:
    You have an error in your SQL syntax; check the manual that
    corresponds to your MySQL server version for the right syntax to
    use near 'RANK, borrowers.borrowernumber AS ID FROM `old_issues`

With this patch applied you see the report result view

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 3a3537fd9333636aa0e52b06447ad3f74798dace)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 369c720beb56925871281b4edfd16f81410772cf)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 45777508b2ef931724f36d15d996d80844d54737)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 45777508b2ef931724f36d15d996d80844d54737)

Bug 28476: Update info in docs/teams.yaml file

to test...
 1/ apply patch
 2/ view 'about' page to confirm info is updated

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Looks good.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Bug 28476: Update info in docs/teams.yaml file (2)

oops, correct info

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit d544d09a3eba15b24836c74e69c298e207921ce6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8f2d00d63b97392680c87db0005f45d068e3d163)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 6eba8f9bf92b34c9090b2904ae232719a5f4622e)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 6eba8f9bf92b34c9090b2904ae232719a5f4622e)

Bug 28586: (follow-up) updated_by should be set

This patch makes the route set the 'updated_by' attribute as well, when
resolving a return claim through the API.

Tests are added for this behavior.

To test:
1. Apply this patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/return_claims.t
=> SUCCESS: Tests pass! updated_by is set correctly!
3. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 343bf361e0417f10f79daff767c38c076d039b23)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ab02ae9c43dbbfda0bc977cbe952ebb01e0a0056)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit b6e26af2ec28a8b0435ba535ec38ba1528286aa6)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit b6e26af2ec28a8b0435ba535ec38ba1528286aa6)

Bug 28586: Pass the right parameter to resolve claim

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit f0c208bca84033ecfbeb51ca8e5dea75a8f80f2e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 513a471f1f4ea54ad2af59323802fee8bbb2bebd)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 99cdcaf4100509b80813e9f105efc0802d6cf239)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 99cdcaf4100509b80813e9f105efc0802d6cf239)

Bug 28482: [19.11.x] Refresh line from DB to get stored value

Before checking if the amount is 0 we get the stored value from the DB. This
ensures any amounts beyond the 6 digit precision we store will be removed.

To test:
1 - Add a processing fee of 15 to an itemtype
2 - Add an item of that type, set the replacement fee to 12.63
3 - Set MarkLostItemsAsReturned to 'On payment' only
4 - Set  WhenLostChargeReplacementFee to 'Charge'
5 - Checkout the item to a patron
6 - Mark the item lost
7 - Reload patron and confirm they are charged 27.63
8 - Go to accounting, pay amount, pay 27.63
9 - Item is still lost and not returned
10 - Apply patch
11 - Checkin the item
12 - Checkout to another patron
13 - Mark lost
14 - Patron charged 27.63
15 - Pay amount, 27.63
16 - Item returned!

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28482: [19.11.x] Unit test

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Fix test rebase

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 23653: [19.11] Add license information in about.pl

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
JD Amended patch
            <p>The included <a href="https://github.com/OAI/OpenAPI-Specification/blob/master/schemas/v2.0/schema.json">api/swagger-v2-schema.json</a> file is licensed under the[-the-] <a href="https://github.com/OAI/OpenAPI-Specification/tree/master/schemas/v2.0">Apache License, Version 2.0</a>, by the <a href="https://www.openapis.org/about">OpenAPI Initiative [-(OAI)</a></p>-]{+(OAI)</a>.</p>+}

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 23653: [19.11] Remove uneeded cond test

rel_file returns the path anyway

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 23653: [19.11] use local copy of swagger v2 schema

By default, JSON::Validator::OpenAPI tries to fetch the
swagger v2 schema from http://swagger.io/v2/schema.json.

If you've installed from CPAN, JSON::Validator::OpenAPI will
come with a cached copy, so it won't try to fetch it over HTTP.

However, if you've installed from libjson-validator-perl
from Debian/Ubuntu, the Debian package excludes the cached copy,
so JSON::Validator::OpenAPI tries to fetch it over HTTP.

Unfortunately, today and other days in the past, the file at
http://swagger.io/v2/schema.json has been unavailable, and this causes
Koha to crash in a perpetual loop.

This patch includes a copy of the swagger v2 schema, and it loads
it locally rather than fetching over HTTP.

The changes to Koha/REST/Plugin/PluginRoutes.pm are not required,
since the validator isn't currently called there, but I've added
a patch to future proof it.

To Test:
0a) Remove /usr/share/perl5/JSON/Validator/cache/36d1bd12eeed51e86c8695bd8876a9df
if it exists
0b) Block external access to http://swagger.io/v2/schema.json or
test during an outage when it's unavailable
0c) Do not apply patch
1) koha-plack --restart kohadev
2) Note that it crashes in a loop and is unavailable in web browser
3) Apply patch
4) koha-plack --restart kohadev
5) Note that Koha comes up and there are no errors in the Plack logs

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

Bug 28487: Fallback to default template in overdue_notices

There is no fallback to the "default" language if there is no
language-specific template for the lang of the patron.

I am not really sure why we are not using GetPreparredLetter here (which
defaults), but this needs to be backported into all stable branches and
so as small as possible.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 09fcc66ab89dd2c084dfe20d4b4dc43a5335b86a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0f9066903e64aa9eb6214beade0921962bd8d6db)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit f67344e523817b8825ec9310cb813e32762e5c6e)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit f67344e523817b8825ec9310cb813e32762e5c6e)

Bug 27495: Added Accessibility advocate role in team page

Test Plan
1. Click on 'About Koha' from the home page
2.Check on the  Koha Team page that the role Accessibility advocate is
listed under the Koha release teams and that the name of the person with
the role  appears.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 638f5106352fc1c5a758af06061a68f65264b791)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit b9f51b4ced6e4e9ff9237fdc95410c8f966d629d)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit c4faa4e17e0f9d7dff10fc27f83a363769a83d65)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c4faa4e17e0f9d7dff10fc27f83a363769a83d65)

Bug 28442: Sort by lastname for array type roles

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit ac00d757ab3e30cd4db2fb9694d28847d009a218)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 41b78b68c1406a3cf3433d79036cb9b0fd28360b)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 8d6b7d3938b53c4e205763cbacf6ccc81878f995)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 8d6b7d3938b53c4e205763cbacf6ccc81878f995)

Bug 28442: Fix 'accessibility_advocate' for current release

The accessibility_advocate block was positioned incorrectly so wasn't
appearing properly for the current stable releases, only the
development/maintainter block.

This patch fixes that issue

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3b427d79d69579d78a6bb2784edacc64aa781934)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit d7b4067d11d2c2301866ec63c0a94a6ce4845384)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit c537538a8c567141b522ae20cbb3b14056ca4564)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c537538a8c567141b522ae20cbb3b14056ca4564)

Bug 28442: Update template for new roles

We have multiple accessibility advocates this cycle, so we needed to
adapt the template. I've also added the meeting facilitator as a case
but not added to the team block as a whole.. seeking opinions, perhaps
wait and see if it lasts more than a cycle before adding it fully?

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 16abe0f5321bc7165c1bf7051d6fa53f7608e0ec)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8d13b6bdfcf24b5ad2236ab53d5dd488f63bf6d1)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 44aecafcb45963ae70bfe83f184bb4d5fdd5996a)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 44aecafcb45963ae70bfe83f184bb4d5fdd5996a)

Bug 28442: Add 21.11 release team to teams.yaml

Add the 21.11 release team.

Test plan
1/ Check against https://wiki.koha-community.org/wiki/Release_Teams

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 467e7e4788ae771c26004a6b5e2951ddf19ed82d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 4f603468d102fbe4f0e63561f18e3f242a6d3588)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 7b00f4fcf34566dbb82f6f31ef1fd053b92e60b4)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 7b00f4fcf34566dbb82f6f31ef1fd053b92e60b4)

Bug 28386: Sort authors by lastname || firstname

If several authors have the same lastname, they are swapped in the list between the different runs.

This is reusing the code from the release_tools, see issue #24

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 3e8b14aa8e07703c5e3d8a42b6431352e3883f68)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit adb61b53d361859b1b910d697ac4970c4c0c66b9)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 00710babcae5408e522bab1dff5e70c364fc627b)
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit 00710babcae5408e522bab1dff5e70c364fc627b)