Bug 28941: Filter suggestion inputs at the OPAC
The following sequence is bad: 46 my $suggestion = $input->Vars; 181 &NewSuggestion($suggestion); All columns can be set when we insert the suggestion into the DB We definitely want to avoid the following fields to be set by the final user: acceptedby, accepteddate, STATUS, etc... Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Julian Maurice <julian.maurice@biblibre.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This commit is contained in:
parent
e4f441cc14
commit
cc33f71b2a
1 changed files with 18 additions and 8 deletions
|
@ -38,12 +38,26 @@ use Koha::DateUtils;
|
||||||
my $input = CGI->new;
|
my $input = CGI->new;
|
||||||
my $op = $input->param('op') || 'else';
|
my $op = $input->param('op') || 'else';
|
||||||
my $biblionumber = $input->param('biblionumber');
|
my $biblionumber = $input->param('biblionumber');
|
||||||
my $suggestion = $input->Vars;
|
|
||||||
my $negcaptcha = $input->param('negcap');
|
my $negcaptcha = $input->param('negcap');
|
||||||
my $suggested_by_anyone = $input->param('suggested_by_anyone') || 0;
|
my $suggested_by_anyone = $input->param('suggested_by_anyone') || 0;
|
||||||
my $title_filter = $input->param('title_filter');
|
my $title_filter = $input->param('title_filter');
|
||||||
my $need_confirm = 0;
|
my $need_confirm = 0;
|
||||||
|
|
||||||
|
my $suggestion = {
|
||||||
|
title => scalar $input->param('title'),
|
||||||
|
author => scalar $input->param('author'),
|
||||||
|
copyrightdate => scalar $input->param('copyrightdate'),
|
||||||
|
isbn => scalar $input->param('isbn'),
|
||||||
|
publishercode => scalar $input->param('publishercode'),
|
||||||
|
collectiontitle => scalar $input->param('collectiontitle'),
|
||||||
|
place => scalar $input->param('place'),
|
||||||
|
quantity => scalar $input->param('quantity'),
|
||||||
|
itemtype => scalar $input->param('itemtype'),
|
||||||
|
branchcode => scalar $input->param('branchcode'),
|
||||||
|
patronreason => scalar $input->param('patronreason'),
|
||||||
|
note => scalar $input->param('note'),
|
||||||
|
};
|
||||||
|
|
||||||
# If a spambot accidentally populates the 'negcap' field in the sugesstions form, then silently skip and return.
|
# If a spambot accidentally populates the 'negcap' field in the sugesstions form, then silently skip and return.
|
||||||
if ($negcaptcha ) {
|
if ($negcaptcha ) {
|
||||||
print $input->redirect("/cgi-bin/koha/opac-suggestions.pl");
|
print $input->redirect("/cgi-bin/koha/opac-suggestions.pl");
|
||||||
|
@ -80,11 +94,6 @@ else {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
# don't pass 'negcap' column to DB, else DBI::Class will error
|
|
||||||
# DBIx::Class::Row::store_column(): No such column 'negcap' on Koha::Schema::Result::Suggestion at Koha/C4/Suggestions.pm
|
|
||||||
delete $suggestion->{negcap};
|
|
||||||
delete $suggestion->{$_} foreach qw<op suggested_by_anyone confirm>;
|
|
||||||
|
|
||||||
if ( $op eq 'else' ) {
|
if ( $op eq 'else' ) {
|
||||||
if ( C4::Context->preference("OPACViewOthersSuggestions") ) {
|
if ( C4::Context->preference("OPACViewOthersSuggestions") ) {
|
||||||
if ( $borrowernumber ) {
|
if ( $borrowernumber ) {
|
||||||
|
@ -152,12 +161,12 @@ if ( $op eq "add_confirm" ) {
|
||||||
elsif ( @$suggestions_loop >= 1 ) {
|
elsif ( @$suggestions_loop >= 1 ) {
|
||||||
|
|
||||||
#some suggestion are answering the request Donot Add
|
#some suggestion are answering the request Donot Add
|
||||||
for my $suggestion (@$suggestions_loop) {
|
for my $s (@$suggestions_loop) {
|
||||||
push @messages,
|
push @messages,
|
||||||
{
|
{
|
||||||
type => 'error',
|
type => 'error',
|
||||||
code => 'already_exists',
|
code => 'already_exists',
|
||||||
id => $suggestion->{suggestionid}
|
id => $s->{suggestionid}
|
||||||
};
|
};
|
||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
|
@ -172,6 +181,7 @@ if ( $op eq "add_confirm" ) {
|
||||||
}
|
}
|
||||||
$suggestion->{suggesteddate} = dt_from_string;
|
$suggestion->{suggesteddate} = dt_from_string;
|
||||||
$suggestion->{branchcode} = $input->param('branchcode') || C4::Context->userenv->{"branch"};
|
$suggestion->{branchcode} = $input->param('branchcode') || C4::Context->userenv->{"branch"};
|
||||||
|
$suggestion->{STATUS} = 'ASKED';
|
||||||
|
|
||||||
&NewSuggestion($suggestion);
|
&NewSuggestion($suggestion);
|
||||||
$patrons_pending_suggestions_count++;
|
$patrons_pending_suggestions_count++;
|
||||||
|
|
Loading…
Reference in a new issue