Update release notes for 22.11.17 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Increment version for 22.11.17 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36149: Add userenv middleware to app.psgi

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 5cca1bdcd67a1a8fc8b0bb2aa6c666cccdb49fbb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 57b1c90e19e913e86e66fb1aa295950cba91985f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36149: (follow-up) POD and tidy

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 31943a5781aaaa9803ca87247eb7a663fb999fc5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0534259c2cbdbb9d6e0ad56535d0c000eea3a629)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36149: Unset userenv from middleware

The userenv (logged in user's info) are stored in
$C4::Context->context->{activeuser}, which persists in plack worker's
memory.
It's really bad in theory as we are not cleaning it before or after the
HTTP request, but only when set_userenv is called (what we are doing
commonly in C4::Auth::get_template_and_user).
If C4::Context->userenv is called before set_userenv we should get undef,
not the userenv from the previous request!
In practice this should not be a problem, but well... who really knows?

This patch suggests to have a middleware to deal with removing the
userenv at the beginning of each request (maybe it should be after, right? - FIXME).

To test:
1 - Edit /etc/koha/sites/kohadev/koha-conf.xml to set <plack_workers>1</plack_workers>
2 - Edit about.pl  and add a line after: CGI->new:
    warn Data::Dumper::Dumper( C4::Cointext->userenv() );
3 - tail -f /var/log/koha/kohadev/*.log
4 - View about.pl in staff interface, should get a "somethign's wrong" warning
5 - Reload, you get current user info
6 - Open an incognito tab, sign in as a different user and click some stuff
7 - Reload about.pl in other window
8 - You get the opac user info
9 - Apply patch
10 - Edit /etc/koha/sites/kohadev/plack.psgi and add the middleware after "RealIP":
     enable "+Koha::Middleware::UserEnv";
11 - Restart all
12 - Reload about.pl - you get a "Something's wrong" warning
13 - Click things in opac on incognito window
14 - Reload about.pl  - only "Something's wrong" - you no longer see any user info

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 576e7e09fdca703f76c0d10ae55eebf12ee1fdf4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 3dd1cdd74ff004d1d218366a377fc91d8ae4e21d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 19613: Fix test for 22.11

Bug 19613: Use the 'note' profile

WNC amended patch: tidied

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 3cb586b72165bcbd029948f46407359be9d5e9a8)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 55931114b62557dfbbe01e7bcf0cd150b5733262)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 19613: Scrub borrowers fields: borrowernotes opacnote

To prevent XSS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 83db8696ca7a83aba224a0ab645f03447a96887b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 383984a0164adabc79e91ad11e2e930f5e070ed9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36532: Protect opac-dismiss-message.pl from malicious usages

Really bad design, NEVER retrieve the logged in user from the CGI
param!

See comment 1 for more info

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
(cherry picked from commit c92d38a6c603278e0d253c6e29731380c017ebb7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36511: Some scripts missing a dependency following Bug 24879

These files needed the addition of 'use C4::Auth qw( check_cookie_auth
);'.

To test, apply the patch and restart services.

- If necessary, enable the LocalCoverImages system preference.
- Open the browser console and then the "Network" tab. You can click
  "Images" to filter for the correct kind of request.
- Perform a catalog search. After the search has loaded, check that
  there are no 500 errors in the Network tab.

- Go to Cataloging -> Label creator.
- If necessary, create a label batch and add some items.
- Export your batch and test both the "Download as CSV" and "Download as
  XML" links. Both should trigger the correct download.

- Go to Serials -> Claims, and select a vendor with late issues.
- Select all late issues and click "Download selected claims" at the
  bottom of the page.
- Your CSV file should download correctly.

The file acqui/check_uniqueness.pl has been corrected as well but I'm
not sure how to test it!

Signed-off-by: danyonsewell <danyonsewell@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 747f5132311ea51ea6babbfc92a775ac0c67f93a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01b22fb71d30f56d3102837b5c9b4cfdacbc9e76)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 72cead50b49efaad6349cf653b970e6f5b610475)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Merge remote-tracking branch 'security/22.11.x-security' into 22.11.x

Bug 34755: (Rmaint follow-up) Fix tests

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit f1803c71460c8e5668366c319d52e683d274605b)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34755: Backport Koha::Token change from bug 34478

This change includes the Koha::Token changes which uses
Koha::Session for generating and checking CSRF tokens.

0. Apply the patch and koha-plack --restart kohadev
1. Setup Keycloak OIDC SSO according to "Testing SSO"
wiki guide
2. In a regular window go to http://localhost:8080
3. In a private window go to http://localhost:8080 and click
the SSO "Log in with..." button, but don't log into Keycloak
4. In the regular window, login locally, and navigate to 5-6 pages
5. In the private window, log into Keycloak
6. Note that you are redirected back to Koha and logged in
successfully (no wrong_csrf_token error).

Signed-off-by: Olivier Hubert <olivier.hubert@inlibro.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 46c0419a11d56b078f1f8528e51bf1a78bd284e6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 19f79fa6064664a69597b0b330dca9c538b816bf)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: Default to 'file' if pref does not exist

During the installer process there is a bunch of warnings
  "Use of uninitialized value $storage_method in string eq at"

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit e2440f2c617c48d77cc416857937b6fb18c34208)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit a42bce58b21c32868057dc0a45dde7580efae8f9)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 922928eb7def8016abdcb4a8b8396858421b9f71)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: (follow-up) extend test to check driver

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit c42ede262a24503c1f350a8d2639a391b86278bf)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 973b3ce069023ca6d06b29de8bdd0cd51736f2e6)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 95b21601296f3dd46419b92f7d5913189e44a9f4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: Fix storage_method pass

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 5572567143c10b424765149bd97c2aa99d577132)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 941f34626a0720afd2c00bb4990b9eac7bc9eda8)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 8914f906b4d5991e4c2814b4f1219d6abdd74fa2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: Allow to pass storage_method

Will need this on follow-up bugs.

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 56d8ac247698f8755a8215245dffd000877d76e7)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit be03ca910f714e8991ff8e2e0163f3c0f9de2b08)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit ac8c0a8a4a0c1050ea23b283ebdd9d616bc187ef)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: (QA follow-up) Add POD to Koha::Session

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 09de3f820b5333e3f23f149f6b8c101d24ba15ed)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 0ff685f2289ea4e2c7aa1414f8e2e286fd8d6c84)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 96dc7d77c0ce1951a13de465ef837daaeadeebf6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36098: Add Koha::Session module to ease session handling

This patch adds a Koha::Session module that makes it easier
to work with Koha sessions without needing the full C4::Auth module.

Test plan:
0. Apply the patch
1. Run the following unit tests:
prove ./t/db_dependent/Auth.t
prove ./t/db_dependent/Auth_with_cas.t
prove ./t/db_dependent/Koha/Session.t
2. Observe that they all pass

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0e6537d199fe49a9e91e1c75f9462ddf1c878fed)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f927343a88ade7cf3fe860b60c41057e6ff39692)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit e19e066b4aa5635e0b53d3351d6c92c68cf20b97)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: (follow-up) Fix test suite

Running cataloguing pluings (in cataloguing/value_builder) now requires
authentification.

This patch adds in failing unit tests a mock of C4::Auth::check_cookie_auth

Test with:
prove t/db_dependent/FrameworkPlugin.t t/db_dependent/Koha/UI/Form/Builder/Biblio.t t/db_dependent/Koha/UI/Form/Builder/Item.t t/db_dependent/Serials.t

(cherry picked from commit f8a23b8ef46aea60eda9211a3e89af85d650ac26)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
suite

Bug 36176: Exclude misc/releases_notes/*

(cherry picked from commit 93a68d2068264bbaad070f178182de638147c0a6)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34943: (QA follow-up) Use `before_biblio_action` and an `action` param

This patch harmonizes the hook name and parameters with the rest of the
codebase.

To test:
1. Apply this patch
2. Run:
   $ ktd --shell
  k$ qa
=> SUCCESS: All looks green, and tests still pass (i.e. they were
correctly adjusted to the new schema).
3. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 353f510c146cfcffc0bb488a8411755f111e5711)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34943: Implement `before_biblio_metadata_store` plugin hook

This patch implements a hook allowing record modification right before
they are written on the DB. The idea is that a plugin could be used to
add machine-generated fields/subfields.

To test:
1. Apply the unit tests patch
2. Run:
   $ ktd --shell
  k$ prove t/db_dependent/Koha/Plugins/Biblio_and_Items_plugin_hooks.t
=> FAIL: Tests fail! The hook is not implemented so the desired results
don't appear (added fields/subfields).
3. Apply this patch
4. Repeat 2
=> SUCCESS: It works!
5. Run:
  k$ qa -c 2
=> SUCCESS: All green!
6. Sign off :-D

Sponsored-by: Theke Solutions
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e78b7bdbe5c10e3d4a568a4560b28e46ab71a02f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34943: Unit tests

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit ddb2ab7a9fb7e91e10301158fe68d3dfdfae5fcc)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Update release notes for 22.11.16 release

Increment version for 22.11.16 release

Bug 36244: DBRev 22.11.15.001

Merge branch '22.11.x' into 22.11.x-security

Bug 24879: Exclude koha_perl_deps.pl

And tidy.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 171197bf2353c0c415d25be127073ad13a9d86bc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ab6e314da2bf24b2b93ee72e1adb312676321ed4)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: Use perl shebang to list the exec

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit f4a52fbc317067b62881110557aeb2b2cc63c41e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5d713e293d5e3b28f1f0611855df88ea886de9e1)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: Add check_cookie_auth when missing

This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 496c8c4e2d9199a38c796fdd6f63d89d8c6b215d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 309e976765f593d6ec2b857295dc58e57d58900e)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: Adjust tests

Installer scripts cannot be run from the UI:
debian/templates/apache-shared-intranet.conf:RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT]

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 6d61091f1ac8e66d2fdaac9a31530dfc7a7eb5fc)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 2cb014d18387eb87387f6a2dae34f5d16d774303)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: Remove installer/externalmodules.pl

It is not used, if we need it back it must be moved to misc.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90fe13e23976e2de81adc14fbabfb99660320989)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 917889bc77029ee632748e444523047b1aceed03)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 24879: Add new test to catch missing auth statement

in intranet scripts

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8784a7e9ffe9fd5f22be133693d0d301f572e82d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 97ded9347cb21d4016f8d7cc42a360bad22490d7)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 31988: Remove reports/itemtypes.plugin

This "plugin system" is only used for the itemtypes report. We can
simply remove the reports/manager.pl script and this plugin in favor of
a dedicated report.

Test plan:
Same behaviour expected before and after this patch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Andrew Fuerste Henry <andrewfh@dubcolib.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 499fe0bea7d995358bd45da2bea7058d803f2b4e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit e2c5e7b88bb9bbc2888129a8f782841f6f5fcff9)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36322: Redirect docs dir to 404

http://localhost:8081/cgi-bin/koha/docs/CAS/CASProxy/examples/proxy_cas.pl

Test plan:
Hit the link
=> Erk
Copy the apache config to /etc/koha/apache-shared-intranet-git.conf
restart_all
Hit the link
=> 404

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0cf08303932eea945d5c90cca0d5ca18fe8923d6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 01f70904548e64c73f0ddd81a5559b5c3c69b620)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36323: Move koha_perl_deps.pl to misc/devel

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit e865f1e1ae67266e822be2690dc5610b22cdded1)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5aaa696afed47906b3f25e440c9a9243dbc1d489)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36176: Reject cud- for stable branches

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 30999e675f1bb9d0088d1fbd355a552e25b42f20)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35960: Use .val() instead of string concat to prevent potential XSS

Test plan:
1. Log out
2. Go to /cgi-bin/koha/mainpage.pl#somestring"with<html>char
3. Open the brower's inspector and find "auth_forwarded_hash" input
4. Make sure the value attribute is there and corresponds to the URL's
   fragment. It should be URI-encoded.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit e6f8a4361e2975dfefcd9773fa61ef7d40300086)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 5409e17fb5abe0130f3cb2cd6c3d2a7707a5b251)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36244: Add atomic update to check for affected notices

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Fixed some typos in bug numbers and text.

Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 2e18611b7d8527c7ff9253a7669aad2c13a5afb0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Bug 36244: Do template toolkit processing first

To avoid injection of template toolkit code
from database fields that are controlled by
untrusted sources.

Test plan:

* review subtest 'Template toolkit syntax in
  parameters' in t/db_dependent/Letters.t
* Run the unit test:
  prove t/db_dependent/Letters.t

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 07ac3b0b9450f812bb48cfecf7bf3f47f63279b5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 20353e094a952f506b9be7f21740e1001fbdeb69)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36244: Unit test for tt syntax in parameters

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 3f8b7785cd703f89de140108eb9347bf33a0c764)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 285f3093ed594d961c5618ed2b110f86f5467f35)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35942: OPAC user can enroll several times to the same club [23.05.x]

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35942: OPAC user can enroll several times to the same club [23.05.x]

Test Plan:

1) Create 3 clubs, 1 limited to library A, 1 limited to library B and one not limited
2) Use a patron with home library A.
3) Go to the opac-user page, "Clubs" tab show 0/2 (the one from library B is not listed)
4) Browse to /cgi-bin/koha/svc/club/enroll?id=1
5) Reload that page a couple times
6) Note the patron is now enrolled in the same club multiple times
7) Delete those enrollments
8) Apply this patch
9) Restart all the things!
10) Repeat steps 2-7, note the lack of duplicate enrollments!
11) Repeat steps 2-10 for the staff interface

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 9bdab108e22768b018b017ed7c0e0016270f2570)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Update release notes for 22.11.15 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Increment version for 22.11.15 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35518: Tidy the moved blocks

This patch just tidies the moved blocks to get us past the QA script
check.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit b577b6567045184adcb5bb55b7e5c70428e124ee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1f182d45aba607dbfaf63c98f97b8615e5eea09d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35518: Check authentication and set userenv before fetching userenv variables

Currently we get the userenv before we have set it correctly for the session

To test:
 1 - Sign in as a user with fast cataloging permission
 2 - Bring up a patron, type gibberish into barcode field to get a fast cataloging link
 3 - Check the link, it should have your current signed in barcode
 4 - Sign in to a different browser with a different user and at a different branch
 5 - Bring up a aptron in circulation and type gibberish into barcode field to get a fast cataloging link
 6 - It may have your branch, but it may also have the other user's branch from the other window
 7 - Keep entering gibberish to get a link until one user has the correct branch
 8 - Then switch to the other browser, and keep entering gibberish, watch the branchcode change
 9 - Apply patch, restart all
10 - Test switching between browsers. generating fast cataloging links
11 - Users should now consistently have the correct branch

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 90b6f68616e2ba5ca3fcbbd9698c97ef41a45593)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 26722f2a08af99b9e3cb4eb50398df896085f527)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36034: (bug 34893 follow-up) fix capture of return values from checkpw

Adapt code to the change of return value type of checkpw
introduced in bug 34893

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 3280e5a99de92a3e8d33ccef71d3013bac4add68)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36034: Add test

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 80822f768978853fd661a53cd721c512aa74add2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35941: Limit club list to those from the logged in user

clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users

Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
  http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
  http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops

Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Bug 29510: RMaint fix test count

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 29510: Make objects.find call search_limited if present

This patch makes objects.find implicitly update the passed
*$result_set* to use search_limited. This way no object leaks could
happen without noticing.

To test:
1. Apply the regression tests patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail because search_limited is not used
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Results are correctly filtered based on userenv!
5. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit 1f1f0837cd2058ff8e953e6ae719c7513ad35927)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 36a1b9e4dff208b6b55ea50008984c7ca0fb298f)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 29510: Regression tests

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
(cherry picked from commit fe5dc0bdda78424437331cf83624c7606a3a54b4)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit eae197962ed7355df520b87870dc56edebe5392b)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34623: RMaint follow-up

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34623: Update jQuery-validate plugin to 1.20.0

This patch updates the jQuery validation plugin in both the staff
interface and the OPAC to the latest version, 1.20.0.

To test, apply the patch and clear your browser cache if necessary.

Test various pages in the staff client to confirm that form validation
works as expected:

 - Patron password change form:
   - Password must conform to minPasswordLength
   - Password must not contain leading/trailing spaces
   - Passwords must match

 - Administration -> Add or edit budget:
   - Description, start date, and end date are required
   - Start date must be before end date

 - Administration -> Add or edit Z39.50/SRU server:
   - Server name, hostname, port, and database are required
   - Port, rank, and timeout must be a number

Perform the same check of the "Change password" form in the OPAC.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 8deffec3155f54b7209f1465942fd8fbea23da5e)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 8c18a734930aa08823c344107db167c1937dc974)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 36072: opac-request-article should check syspref

Note: This is handled now just like opac-reserve.

Test plan:
Disable ArticleRequests and hit the page.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 8afcbe0bbb556cb19ff2e33e56cf3bcb8dd13d11)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c4d348651192eaed83d13df4f7d166b977690e6d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35918: Fix auto library connect (AutoLocation)

This code is a bit weird, its purpose it to auto select the library depending on the IP.
A problem appears if the same IP is used, then the user's choice will
might be overwritten randomly by another library.

To recreate the problem:
Turn on AutoLocation
Use koha/koha @CPL for test
And the following config:
*************************** 1. row ***************************
branchcode: CPL
branchname: Centerville
  branchip: 172.18.0.1
*************************** 2. row ***************************
branchcode: FFL
branchname: Fairfield
  branchip: 172.18.0.1
*************************** 3. row ***************************
branchcode: FPL
branchname: Fairview
  branchip: 172.18.0.4

Connect and select CPL. Randomly FFL will be picked instead.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Tested this on top of 35890 and 35904 because git bz said they were required dependencies.
Figured out the IP Koha was seeing me as coming from in /var/log/koha/kohadev/plack.log.
Added that IP to the branchip for Centerville, Fairfield and Fairview. Set AutoLocation = Yes.
After this I could recreate the problem: If i left the "Library" field in the login screen
at "My Library" I got logged into a random library selected from the three i had set
branchip for. Applying the patches fixed this, as expected.
Tests pass, with AutoLocation off.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 4efe74fe12075298680965db3605f717f1da10d0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35918: Add test

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit e00cfb3c7b3954e545ad4b363bff48a8f4345d0a)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 7073d114577105537d448c49430eb546c0b435a2)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35890: RMaint quick fix to make tests work

Bug 35890: Remove var loggedin

It is never used and add confusion

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0ce8cc4c05bc96503172018775ba574e41b40ecb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 16a7ac0fe71e74e28051cb5374923879c8c5213d)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35890: Reject login if IP is not valid

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 94e570d6af38c0061aeaad2ea25ab26bed2186f5)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit bfbe854b6c8943b2afdec9a690a20d9615949962)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35890: Add tests for AutoLocation

Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 85717a99c7ba20d3bef8e9ba15df6d0a86f368c6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 6e4711d925ae705ecba6dcf78e030dc149c80017)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: (RMaint follow-up) Test plan correction

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 34893: [22.05] Add a Koha::Patron->update_lastseen method

Without this patch, we get an error trace whe calling AuthenticatePatron

The method Koha::Patron->update_lastseen is not covered by tests!

(cherry picked from commit 3417a7052a549bde30f0c5c400c9f228f107308f)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Bug 34893: (RMaint follow-up) Fix test plan

Merge mistake, just a simple correction to the test plan count was
needed.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

[RMaint follow-up] Fix executable permission on 22.11.12

The database updates should be executable.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Update release notes for 22.11.14 release

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Increment version for 22.11.14

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: Unit tests for C4::Auth::checkpw

This patch introduces some tests on the current (and new) behavior for
the `checkpw` function.

I needed it to better understand if an edge case was actually possible
(it wasn't).

Found a really minor annoyance for the internal check with expired
password not returning the $patron object for consistency with the other
use cases.

I think this method deserves (at least) changing the return value to a
sane data structure. But that's not target for backporting to stable
releases. So a separate bug.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 5476b18e7ea34e08d9dd163e2c446d5b223cf032)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 76bda46ad5a4916aa907f2eb11f81eaaedf19f37)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: (QA follow-up) Tidy code for qa script

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit a19a1d2079e562d62d766aa9f996a7586d73882d)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit ce00f161ab1c4145260159e5c779386c1f850a0b)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: Add checkpw change to REST API

This patch adds the checkpw return value change to the REST API
route for validating user identifiers and password.

Test plan:
0. Apply patch
1. prove t/db_dependent/api/v1/password_validation.t

Bonus points:
1. koha-plack --reload kohadev
2. Enable syspref RESTBasicAuth
3. curl -XPOST -H "Content-Type: application/json" \
-u <staff_userid>:<staff_password> \
-d '{"identifier":"<cardnumber>","password":"<password>"}' \
http://localhost:8081/api/v1/auth/password/validation
4. Validation doesn't fail. It gives you cardnumber, patron_id, userid

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit fc1ea85ed024a9789827a1c17376bfc18f19cef0)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 1cb97e995b8386c6f0684c11713ff1ecad12db62)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: ILS-DI can return the wrong patron for AuthenticatePatron

Imagine we have a set of users. Some of those users have a NULL userid. We then call AuthenticatePatron from ILS-DI for a patron with a NULL userid, but a valid cardnumber. We call checkpw, which returns the cardnumber and userid. We then call Koha::Patrons->find on the userid *which is null*, meaning the borrowernumber returned is not the correct one, but instead the earliest patron inserted into the database that has a NULL userid.

Test Plan:
1) Give three patrons a userid and a password
2) From the database cli, set all patrons's userid to null
   Run this query: update borrowers set userid = null;
3) Call AuthenticatePatron with username being the 1st patron cardnumber,
   and password being the password you set for that patron
   http://localhost:8080/cgi-bin/koha/ilsdi.pl?service=AuthenticatePatron&username=kohacard&password=koha
4) Note you get back a borrowernumber for a different patron. Refresh the page and the number is correct.
5) Do the same with the 2nd patron. Same issue at 1st and correct number after.
6) Apply this patch
7) Restart all the things!
8) Do the same with the 3rd patron.
9) Note you get the correct borrowernumber! :D
10) prove t/Auth.t t/db_dependent/Auth_with_ldap.t t/Auth_with_shibboleth.t t/db_dependent/Auth_with_cas.t

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 9ba199c2acc33873154c167e73e86a5e786084cb)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f6c2bdf2163239eddef379ff34e769dfdaeac9ca)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 34893: Add unit tests

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit 29782174570a331c1b9f1ac8196ce06364f8f691)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>

Bug 35204: Prevent an expired password from throwing a 500 error

Currently when a patron with an expired password is authenticated via the API a 500 error is returned rather than a 400 "Validation failed" error. This patch catches the return value for an expired password and returns the validation failure before the patron search is attempted.

Test plan:
1) Choose a patron and set their password expiry date to a date in the past
2) Send a request to auth/password/validation as an authenticated user with that patron's details
3) The response should be a 500 error
4) Apply patch
5) Repeat steps 1-3 and this time the response should be a 400 code with an error message of  "Password expired"

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit f3bb88505245228d97a4e39612b17a688df64a79)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit df9d4b0f55fa6b4c430a77686d8e00804eed88de)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 24f067b0cf220c035ba5773956d19e0a80a75044)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35204: Add unit tests

prove t/db_dependent/api/v1/password_validation.t

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
(cherry picked from commit 711f9a041a706ed3f025afd6da0259879396ea58)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 86be92a6084d4475b004f6ffce2e14fb21917f50)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit 1fc5a820bbe99a1be084349ba4c166cca2ccf204)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

HTML release notes version

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Ultra minor fix on release notes

Release notes for 22.11.13 (dec 2023)

Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Version 22.11.13 (dec 2023)

Bug 35307: Add a hidden input for expired holds

To test:
 1 - Place 3 holds on a bib, each for a different patron
 2 - IN the db, set the first hold to be expired:
    UPDATE reserves SET expirationdate='2023-01-01' WHERE reserve_id=1;
 3 - Refresh the holds page for the biblio
 4 - Note the first hold now says 'Expired' in the expiration date column
 5 - Set an expiration date for the last hold
 6 - Click 'Update holds'
 7 - Note the date is applied to the second hold
 8 - Delete the holds
 9 - Apply patch
10 - Repeat 1-6
11 - Confirm only the correct hold is updated

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit ca5378cd946fd3c5496dab155ff112f0c245f71b)
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Bug 35254: [22.11.x] Add import_record_id to order inputs

This patch follows the logic of bug 32166 and adds specific inputs for each order to avoid any misalignment when some records are not imported

To test:
1 - Find a vendor in acquisitions
2 - Create or find an open basket
3 - Add to basket form a new file
4 - Stage file and add to basket
5 - Select the second record in the list
6 - Enter price info
7 - Save (don't forget, you need to set item type in the second tab)
8 - The order has no price info!
9 - Apply patch
10 - Repeat 3-7 above, staging file fresh
11 - Confirm order has correct prices
12 - Test with a file with many records
13 - Confirm any combination of choosing/skipping records works as expected

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>

Update release notes for 22.11.12 release

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Increment version for 22.11.12 release

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

RMaint fix: Fix Koha version

Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35291: (QA follow-up) Tidying script for QA test tools

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35291: Validate filepaths in linking files

Validate that the files in linking files are contained within the ZIP.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35291: Don't allow symlinks for link files in cover image ZIP

There's no reason to allow symlinks for link files in cover image
ZIP files. Preventing their use prevents someone from uploading
a symlink pointing to an existing file on the Koha server.

Test plan:
0. Apply patch and restart/reload Koha
1. Create a PNG cover image
2. Create a datalink.txt file that contains something like the
following:
29,Untitled.PNG
3. Turn on "LocalCoverImages" system preference
4. Upload via http://localhost:8081/cgi-bin/koha/tools/upload-cover-image.pl
5. Go to http://localhost:8081/cgi-bin/koha/catalogue/detail.pl?biblionumber=29
6. Note the cover image has been uploaded

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35291: Prevent leaks from FS

Signed-off-by: David Cook <dcook@prosentient.com.au>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35290: (follow-up) Perltidy formatting corrections

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35290: Sanitize field input on cataloguing/ysearch.pl

This change sanitizies the field input on cataloguing/ysearch.pl

Test plan:
0. Apply the patch and restart/reload Koha
1a. "Add marc21_field_260b.pl plugin to 260$b in the Default framework"
1b. Go to http://localhost:8081/cgi-bin/koha/admin/marc_subfields_structure.pl?
op=add_form&tagfield=260&frameworkcode=#subbfield
1c. Choose "marc21_field_260b.pl" from the dropdown next to "Plugin"
1d. Click "Save changes"
2a. "Add new record"
2b. Go to http://localhost:8081/cgi-bin/koha/cataloguing/addbiblio.pl?frameworkcode=
3. Click on tab "2" and scroll down to 260 "b"
4. Type in "Ori" into 260 subfield b
5. Some autocomplete suggestions should appear

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Pedro Amorim <pedro.amorim@ptfs-europe.com>

Bug 35174: update control files for koha-l10n dependency package

 to test...

 - apply patch
 - build koha-common package
 - install koha-common package, and confirm koha-l10n package is installed

Bug 35174: Don't run gulp po commands if po dir is missing

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 35174: Add misc/translator/po to .gitignore

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 35174: Add a warning to the about page

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 35174: Do not explode if po dir does not exist

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Bug 35174: Remove .po files from Koha

Bug 35012: Apply change to all events

We should not just look at Click.

Test plan:
[1] Apply the example patch for a Blur action in barcode.pl.
[2] Check that barcode.pl is active in your framework and that
    autoBarcode is not disabled.
[3] Open the browser dev console.
[4] Tab a few times through barcode in the neworderempty form of
    Acquisition. If you leave the field, the Blur event fires.
    => Without this patch you will see two console lines (FF may
    show a little '2' icon at the right side) added. With this
    patch just one.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jan Kissig <jkissig@th-wildau.de>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e9326f0e86881f95fd79b2dd7a2e9578ab517116)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit c8685d088aa03b0e64b073b2db001a2df5335819)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Bug 35012: Prevent Click handler firing twice

test plan:
a) build a new basket + order line using "item create on placing an order"
b) in the item creation dialog (neworderempty.pl) please use the webbrowsers dev tools to analyze the [...] button next to subfield d (Date acquired) and inspect the events that get fired by clicking
c) notice the Clicktag_952_subfield_d_* event gets fired twice.
d) apply patch and reload page
e) there should be only 1 click handler left (besides the jquery one), which points to the Clicktag_952_subfield_* function

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
See also bug 35298. You may have seen that the Focus event of dateaccessioned
did not fire. But that is related to use of Flatpickr in this plugin.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit ec3fe5d41e03d969b876f0948e81389b0a20df4c)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit f846ee85ecbe7f75e9ba842a7cae905813c909d4)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>

Bug 35276: Remove authentication params from suggestion hash

These would be forwarded to Koha::Objects->as_list and crash on
unknown column.

Test plan:
Logout from staff.
Enter URL /suggestion/suggestion.pl
Without this patch, it crashes. Now it does not.

Note: The crash may show auth_forwarded_hash but I also saw
koha_login_context passing by. Same issue.

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e2821c7962ca7594f029f4c7fdb0c2f70028eb9b)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
(cherry picked from commit 898e0d79793e8ff9450242e8e6b2f1f97e2873f8)
Signed-off-by: Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com>