This removes magical IDs and replaces them by subquery pointing to the same entry. This was causing a failure in installing loris on any database where AUTO_INCREMENT > 1 (such as in clustered environments.)

When LORIS returns a 403, 404, or 500 error, a small template is shown to display that error. It currently says "Go to login page" when the URL actually points to baseURL. As a result this message is inaccurate when a user is already logged in as they'll be redirected to the dashboard (not logged out).

The HelpFile class has been changed to use the safe update function from the database class instead of the explicitly unsafe version.

unsafeupdate is to be used with caution, only when you know you need to insert HTML and know that you can trust it.  This change fixes a security issue while preserving the markup functionality of the help editor. HTML will not directly render but Markdown will.

Make the 'lookupCenterNameUsing' configuration under the 'Imaging Pipeline section" of the config module a drop down instead of an open text field. The options of the drop down: PatientID, PatientName (which are the only valid values supported by the pipeline.)

This fixes the phan errors about function redeclarations.

These are mostly harmless and caused by different ajax endpoints
using the same function names with no namespacing, but it's better
to ensure we don't accidentally redeclare autoloaded functions in
a more dangerous context in the future.

…es#3831)

This prevents the autofilling of passwords on the user accounts page.

See: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

Add two new methods to the database class: insertOnDuplicateUpdate() and unsafeInsertOnDuplicateUpdate()

These methods will attempt to insert a new row into the database given the query array passed as an argument. However, if one of the values to be inserted is a duplicate value for a unique key column, the query will be changed to an update statement for the row where the duplicate was found.

The unsafe version of the method will not escape insertion of HTML characters or JSON objects.

Reference:
https://dev.mysql.com/doc/refman/8.0/en/insert-on-duplicate.html

This does various code formatting cleanups in the statistics module in order to remove warnings, fix formatting, and generally make it easier to follow.

This aims to improve our workflow by encouraging developers to add more information to their new pull requests and encouraging developers to provide testing instructions.

This creates a React Loader component which can be displayed on reactified pages, while content is being loaded for the page.

This is the most basic version of the loader and can be altered in the future to include text, or potentially the loris logo.

It provides a sample implementation of the loader on the media module.

Remove main.css from the docs directory, which hasn't been maintained and isn't used by anyone or anything.

While CandID comes from the database and is expected to be trusted, this PR explicitly sanitizes the candID variable before it is injected into the href element so that people don't copy/paste the code into an unsafe context.

…ces#3885)

The config setting IncomingPath is not used anywhere in the code (neither in Loris nor Loris-MRI).

This removes from the configuration module the duplicated IncomingPath config setting under the Paths section. It also modifies the description and the labeling of the remaining incoming config setting MRIUploadIncomingPath to something more meaningful and generic as discussed during the imaging meeting of August 16th, 2018.

See also: https://redmine.cbrain.mcgill.ca/issues/15102

…500 (aces#3665)

This to fix https://redmine.cbrain.mcgill.ca/issues/14445.

It results in a 401 error rather than a 500 error when a user tries to access an instrument when they are not logged in.

Fix check boxes in PR template.

BVL Feedback threads are unable to close for certain entries with large titles, because they don't fit in the fixes size feedback panel.

This replaces the panel with a relative unit and adds an `overflow: auto` CSS attribute to ensure that it is scrollable.

This normalizes the API v3 documentation markdown headers.

This removes the excelDump.php from the tools directory and adds it to deprecated, since it's known to not work with large datasets and results in a warning from composer about using a deprecated library every time you install/update LORIS.

Since the excelDump was the only thing using the library, the dependency is also removed from LORIS's composer.json/lock file.

Pull v20.0.1 into minor

…ax file (aces#3603)

This touches up the doc repo to enhance its readability, error reporting, and performance.

…ces#3914)

Initially, we assumed that consent date would only be given if status=yes. Therefore, if status=no but there is a consent date, it is assumed that consent was withdrawn, thus, a withdrawn date is required. The script validates there being a withdrawn date for withdrawn consent. However, some projects also collect a consent date for status=no, breaking down our assumption on withdrawal. This PR removes that validation.

This refactors the fix in aces#3721 in order to remove references
to superglobals. Instead, the variables are instantiated on the
module level from the PSR object so that the page can assume
they exist.

… in a time window basis (aces#3898)

Add ability to give users access to the system for a predefined time frame. "Active From" and "Active To" columns are added in user_accounts, which define a window in which the account may be used. This allows studies to either pre-create accounts that aren't active immediately, or expire accounts (or both.)

Thanks to CHU Sainte-Justine for this feature.

…pload (aces#3896)

Checks the filename for candidate uploads before attempting to place it onto the server. This causes it to fail earlier when possible rather than waiting until the entire file has been uploaded before providing an error message.

Inside the Demographic of the statistics module, undefined index errors were being printed. This uses isset to catch them.

…ntered in Utility.class.inc (aces#3930)

Fix warnings in media module and imaging uploader.

The default module router is supposed to delegate to the page
based on the first component of the path of the URL. A typo
means that it was using '@' instead of '/' to determine path
components, so it would only delegate to pages that have an
exact match.

Add react Checkbox element type to Form.js that can be used in any reactified form in LORIS.

…aces#4028)

Previously when a user had the media_write permission but not the media_read permission they could not access the module. Although this is probably a misconfiguration, it makes sense that if someone can upload files that they should also be able to browse them.

Imaging Uploader currently only checks if a file already exists on the front end. This adds a backend check for an existing mri_upload entry that is not being intentionally overwritten / updated.

Change all files in jsx directory refactored to ES6 standards within the candidate_parameters module.

Adds a log entry when a user enters the wrong password and changed the front-end error message to more accurately say "Invalid username" instead of "Invalid email."

Redirect /login and /projects API endpoints to the API module under Apache.

When an unauthenticated user tries to access the feedback pop up it will now go through proper 401/403 handling instead of calling functions that do not exist.

Add comment explaining that a month is 30 days for age calculations.

This merges the current bugfix branch into the minor branch.

Files with conflicts that might warrant closer review:
	modules/document_repository/php/document_repository.class.inc
	modules/media/js/mediaIndex.js
	modules/server_processes_manager/php/mriuploadserverprocess.class.inc
	modules/statistics/php/stats_demographic.class.inc

[Merge] Merge bugfix into minor branch

Fix incorrectly resolved conflict and ensure package.json is valid json.

This fixes some semantic merge conflicts and syntax errors that
were introduced by the originaly merge between major and minor.

Fixes regressions in phan caused by merging minor into major