Bug 7550: SCO - Restrict access of patron's image

With this patch if SelfCheckoutByLogin is set to 'username and password', only the logged in user will be able to see the image linked to his/her logged in account. If set to "barcode" we generate a token but it can be easily generated. You should add a warning in the about page if SelfCheckoutByLogin="barcode" and ShowPatronImageInWebBasedSelfCheck="Show". How I tested: - Go to SCO - Log - Enable self checkout, go to [Your Server]//cgi-bin/koha/sco/sco-main.pl - Log in with a user 'A' who has a patron image - Copy the address of the patron image into an other browser window - Change the borrowernumber to on of an other user 'B' having a patron image - Verify that the patron image is NOT displayed Signed-off-by: Marc Véron <veron@veron.ch> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-19 14:09:12 -03:00 · 2017-04-19 14:09:12 -03:00 · 57f28f9ee4
commit 57f28f9ee4
parent 3ef6d2d515
3 changed files with 24 additions and 3 deletions
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt
@ -204,7 +204,7 @@
                </div> <!-- / .span12/12 -->
                [% IF ( display_patron_image ) %]
                    <div class="span2">
-                        <img src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=[% borrowernumber %]" alt="" />
+                        <img src="/cgi-bin/koha/sco/sco-patron-image.pl?borrowernumber=[% borrowernumber %]&csrf_token=[% csrf_token %]" alt="" />
                    </div>
                [% END %]
            </div> <!-- / .row-fluid -->
--- a/opac/sco/sco-main.pl
+++ b/opac/sco/sco-main.pl
@ -34,7 +34,6 @@
 use Modern::Perl;

 use CGI qw ( -utf8 );
-use Digest::MD5 qw(md5_base64);

 use C4::Auth qw(get_template_and_user checkpw);
 use C4::Koha;
@ -48,6 +47,7 @@ use Koha::DateUtils qw( dt_from_string );
 use Koha::Acquisition::Currencies;
 use Koha::Patron::Images;
 use Koha::Patron::Messages;
+use Koha::Token;

 my $query = new CGI;

@ -302,6 +302,7 @@ if ($borrower->{cardnumber}) {
        $template->param(
            display_patron_image => 1,
            cardnumber           => $borrower->{cardnumber},
+            csrf_token           => Koha::Token->new->generate_csrf( { session_id => scalar $query->cookie('CGISESSID') . $borrower->{cardnumber}, id => $borrower->{userid}} ),
        ) if $patron_image;
    }
 } else {
--- a/opac/sco/sco-patron-image.pl
+++ b/opac/sco/sco-patron-image.pl
@ -22,6 +22,8 @@ use warnings;
 use C4::Service;
 use C4::Members;
 use Koha::Patron::Images;
+use Koha::Patrons;
+use Koha::Token;

 my ($query, $response) = C4::Service->init(circulate => 'self_checkout');

@ -35,10 +37,28 @@ unless (C4::Context->preference('ShowPatronImageInWebBasedSelfCheck')) {
 }

 my ($borrowernumber) = C4::Service->require_params('borrowernumber');
+my ($csrf_token) = C4::Service->require_params('csrf_token');

-my $patron_image = Koha::Patron::Images->find($borrowernumber);
+my $patron = Koha::Patrons->find( $borrowernumber );
+my $patron_image = $patron->image;

 if ($patron_image) {
+
+    unless (
+        Koha::Token->new->check_csrf(
+            {
+                session_id => scalar $query->cookie('CGISESSID')
+                  . $patron->cardnumber,
+                id => $patron->userid,
+                token => $csrf_token,
+            }
+        )
+      )
+    {
+
+        print $query->header(-type => 'text/plain', -status => '403 Forbidden');
+        exit;
+    }
    print $query->header(
        -type           => $patron_image->mimetype,
        -Content_Length => length( $patron_image->imagefile )