Merge branch 'develop' into 12178_CSRF_session_cookie_CSRF_protections

Author: ErykKul

conf/solr/solr-driver.sh

@@ -0,0 +1,6 @@
+### Breaking Changes
+
+All endpoints related to storage drivers have been moved out of the Admin API.
+
+- The GET, PUT, and DELETE endpoints for `/api/admin/dataverse/{alias}/storageDriver` have been moved to `/api/dataverses/{alias}/storageDriver`. Write operations continue to be accessible only to superusers, while GET methods are public.
+- The endpoint `/api/admin/dataverse/storageDrivers` has been made public, moved, and renamed to `/api/dataverses/{alias}/allowedStorageDrivers`. Regarding the name change, this endpoint will in the future only display the storage drivers that are allowed on the specified collection. For now, it will display the entire list of available drivers on the installation.

doc/release-notes/12141-storage-driver-endpoints.md

@@ -0,0 +1,5 @@
+This release offers improved support for Handles as persistent ids.
+
+The following issues are fixed:
+- When pid registration of persistent ids for files is enabled, Dataverse will create the handle as soon as the file is created (similary to other persistent id providers) (issue #12174);
+- When a new handle is created, for a dataset or file that is still a draft, it will be reserved and registered, but not visible publicly. The handle will become visible and the redirects will start working once it is published. This is also in line with how DOI providers work (issue #8881). 

doc/release-notes/12174-handle-improvements.md

@@ -0,0 +1,2 @@
+A new query parameter (`ignoreSettingExcludeEmailFromExport`) has been added to the ["View a Dataverse Collection"](https://guides.dataverse.org/en/latest/api/native-api.html#view-a-dataverse-collection) API (`/api/dataverses/{collectionId}`).
+This query parameter prevents the contact emails from being excluded when the setting `ExcludeEmailFromExport` is set to true and the user has EditDataverse permissions.

doc/release-notes/12194-ignore-exclude-email-setting-for-collections.md

@@ -0,0 +1,4 @@
+## Bug
+Guest requesting file download using :persistentId with guestbook response is now working.
+
+"persistentId" will be replaced by the actual fileId in the signed url that is returned by the POST call containing the guestbook response.

doc/release-notes/12245-anon-guestbook-download-via-persistentid.md

@@ -0,0 +1,4 @@
+## Feature
+
+Added Submit for Review dialog disclaimer messages (similar to Publish disclaimer messages). Can be set using setting :SubmitForReviewDatasetDisclaimerText
+ Also added :DatasetSubmitForReviewPopupCustomText to allow for custom text to be displayed in the dialog similar to the Publish dialog

doc/release-notes/12325-submit-for-review-message.md

@@ -50,31 +50,31 @@ Recursively assigns the users and groups having a role(s),that are in the set co
 Configure a Dataverse Collection to Store All New Files in a Specific File Store
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-To direct new files (uploaded when datasets are created or edited) for all datasets in a given Dataverse collection, the store can be specified via the API as shown below, or by editing the 'General Information' for a Dataverse collection on the Dataverse collection page. Only accessible to superusers. ::
+To direct new files (uploaded when datasets are created or edited) for all datasets in a given Dataverse collection, the store can be specified via the API as shown below, or by editing the 'General Information' for a Dataverse collection on the Dataverse collection page. Requires permission to edit the Dataverse collection (for example, the ``EditDataverse`` permission). ::
  
-    curl -H "X-Dataverse-key: $API_TOKEN" -X PUT -d $storageDriverLabel http://$SERVER/api/admin/dataverse/$dataverse-alias/storageDriver
+    curl -H "X-Dataverse-key: $API_TOKEN" -X PUT -d $storageDriverLabel http://$SERVER/api/dataverses/$dataverse-alias/storageDriver
 
 (Note that for ``dataverse.files.store1.label=MyLabel``, you should pass ``MyLabel``.)
 
 A store assigned directly to a collection can be seen using::
 
-    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/admin/dataverse/$dataverse-alias/storageDriver
+    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/dataverses/$dataverse-alias/storageDriver
 
 This may be null. To get the effective storageDriver for a collection, which may be inherited from a parent collection or be the installation default, you can use:: 
 
-    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/admin/dataverse/$dataverse-alias/storageDriver?getEffective=true
+    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/dataverses/$dataverse-alias/storageDriver?getEffective=true
 
 This will never be null.
 
 (Note that for ``dataverse.files.store1.label=MyLabel``, the JSON response will include "name":"store1" and "label":"MyLabel".)
 
 To delete a store assigned directly to a collection (so that the colllection's effective store is inherted from it's parent or is the global default), use::
 
-    curl -H "X-Dataverse-key: $API_TOKEN" -X DELETE http://$SERVER/api/admin/dataverse/$dataverse-alias/storageDriver
+    curl -H "X-Dataverse-key: $API_TOKEN" -X DELETE http://$SERVER/api/dataverses/$dataverse-alias/storageDriver
     
-The available drivers can be listed with::
+The available drivers within a collection can be listed with::
 
-    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/admin/dataverse/storageDrivers
+    curl -H "X-Dataverse-key: $API_TOKEN" http://$SERVER/api/dataverses/$dataverse-alias/allowedStorageDrivers
     
 (Individual datasets can be configured to use specific file stores as well. See the "Datasets" section below.)
 

doc/sphinx-guides/source/admin/dataverses-datasets.rst

@@ -549,8 +549,9 @@ You will need to reload your Solr schema via an HTTP-API call, targeting your So
 
 ``curl "http://localhost:8983/solr/admin/cores?action=RELOAD&core=collection1"``
 
-You can easily roll your own little script to automate the process (which might involve fetching the schema bits
-from some place else than your Dataverse installation).
+You can easily roll your own little script to automate the process
+(which might involve fetching the schema bits from some place else than your Dataverse installation).
+For your convenience, an example script :download:`solr-driver.sh <../../../../conf/solr/solr-driver.sh>` has been added.
 
 Please note that reconfigurations of your Solr index might require a re-index. Usually release notes indicate
 a necessary re-index, but for your custom metadata you will need to keep track on your own.

doc/sphinx-guides/source/admin/metadatacustomization.rst

@@ -10,12 +10,15 @@ This API changelog is experimental and we would love feedback on its usefulness.
 v6.11
 -----
 
+- The endpoints GET, PUT AND DELETE for `/api/admin/dataverse/{alias}/storageDriver` have been moved to `/api/dataverses/{alias}/storageDriver`.
+- The endpoint `/api/admin/dataverse/storageDrivers` has been moved and renamed to `/api/dataverses/{alias}/allowedStorageDrivers`. Regarding the change of the name, this endpoint will in the future only display the storageDrivers that are allowed on the specified collection, as of now, it will display the entire list of available Drivers on the installation.
 - The following API will now return ``403`` if the ``requireFilesToPublishDataset`` flag is set and the dataset version contains 0 files.
 
   - **/api/datasets/{Id}/submitForReview**
 
 - The Croissant :ref:`metadata export format <metadata-export-formats>` has been updated from version 1.0 to 1.1, which is reflected in the ``conformsTo`` property. The unused ``wd`` property has been dropped.
 
+
 v6.10
 -----
 - The following GET APIs will now return ``400`` if a required Guestbook Response is not supplied. A Guestbook Response can be passed to these APIs in the JSON body using a POST call. See the notes under :ref:`basic-file-access` and :ref:`download-by-dataset-by-version` for details.
@@ -38,7 +41,6 @@ v6.10
 
   - **/api/access/datafile/{id}/requestAccess**
 
-
 v6.9
 ----
 

doc/sphinx-guides/source/api/changelog.rst

@@ -185,6 +185,13 @@ Usage example:
 
   curl "https://demo.dataverse.org/api/dataverses/root?returnChildCount=true"
 
+If a user with EditDataverse permissions wants to ignore the setting ``ExcludeEmailFromExport`` in order to see the contact emails, they must include the ``ignoreSettingExcludeEmailFromExport`` query parameter.
+
+Usage example:
+
+.. code-block:: bash
+
+  curl -H "X-Dataverse-key:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" "https://demo.dataverse.org/api/dataverses/root?ignoreSettingExcludeEmailFromExport=true"
 
 To view an unpublished Dataverse collection:
 
@@ -6635,6 +6642,28 @@ The fully expanded example above (without environment variables) looks like this
 
   curl "https://demo.dataverse.org/api/info/settings/:DatasetPublishPopupCustomText"
 
+.. _show-custom-popup-for-submitting-for-review-datasets:
+
+Show Custom Popup Text for Submitting Datasets For Review
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For now, only the value for the :ref:`:DatasetSubmitForReviewPopupCustomText` setting from the Configuration section of the Installation Guide is exposed:
+
+.. note:: See :ref:`show-disclaimer-for-submit-for-review-datasets` if you want the user to acknowledge before submitting for review.
+.. note:: See :ref:`curl-examples-and-environment-variables` if you are unfamiliar with the use of export below.
+
+.. code-block:: bash
+
+  export SERVER_URL=https://demo.dataverse.org
+
+  curl "$SERVER_URL/api/info/settings/:DatasetSubmitForReviewPopupCustomText"
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+  curl "https://demo.dataverse.org/api/info/settings/:DatasetSubmitForReviewPopupCustomText"
+
 .. _show-disclaimer-for-publishing-datasets:
 
 Show Disclaimer for Publishing Datasets
@@ -6657,6 +6686,27 @@ The fully expanded example above (without environment variables) looks like this
 
   curl "https://demo.dataverse.org/api/info/settings/:PublishDatasetDisclaimerText"
 
+.. _show-disclaimer-for-submit-for-review-datasets:
+
+Show Disclaimer for Submitting For Review Datasets
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The setting :ref:`:SubmitForReviewDatasetDisclaimerText`, when set, will prevent a draft dataset from being submitted for review through the UI without the user acknowledging the disclaimer.
+
+.. note:: See :ref:`curl-examples-and-environment-variables` if you are unfamiliar with the use of export below.
+
+.. code-block:: bash
+
+  export SERVER_URL=https://demo.dataverse.org
+
+  curl "$SERVER_URL/api/info/settings/:SubmitForReviewDatasetDisclaimerText"
+
+The fully expanded example above (without environment variables) looks like this:
+
+.. code-block:: bash
+
+  curl "https://demo.dataverse.org/api/info/settings/:SubmitForReviewDatasetDisclaimerText"
+
 .. _api-get-app-tou:
 
 Get Application Terms of Use (General Terms of Use)
@@ -8872,7 +8922,7 @@ A curl example using allowing access to a dataset's metadata
 
   curl -H "X-Dataverse-key:$API_KEY" -H 'Content-Type:application/json' -d "$JSON" "$SERVER_URL/api/admin/requestSignedUrl"
 
-Please see :ref:`dataverse.api.signature-secret` for the configuration option to add a shared secret, enabling extra
+Please see :ref:`dataverse.api.signing-secret` for the configuration option to add a shared secret, enabling extra
 security.
 
 .. _send-feedback-admin: