Bug 24878: Add authentication checks to the calendar tool

There is a security hole in 2 scripts that are used by the UI to edit
holidays.

To test:
1) Go to Tools -> Calendar, for Centerville
   Check no holiday for 30/4/2020
2) To add a new holiday without login execute
   a curl command with necessary parameters
3) Reload page from 1), verify the new holiday
   edit and delete the holiday
4) Apply the patch
5) Do 2) again, this time you get a lengthy output,
   with the magic words:

   <title>Koha &rsaquo;
       Log in to Koha
   </title>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

tools/exceptionHolidays.pl

@@ -14,6 +14,9 @@ use Koha::DateUtils;
 my $input = new CGI;
 my $dbh = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
+
 my $branchcode = $input->param('showBranchName');
 my $weekday = $input->param('showWeekday');
 my $day = $input->param('showDay');

tools/newHolidays.pl

@@ -33,6 +33,8 @@ use Koha::DateUtils;
 my $input               = new CGI;
 my $dbh                 = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
 our $branchcode          = $input->param('newBranchName');
 my $originalbranchcode  = $branchcode;
 our $weekday             = $input->param('newWeekday');