Browse Source

Bug 14449: Add authentication check on retrieving item info when receiving

The script catalogue/getitem-ajax.pl is called by acqui/orderreceive.pl
when item is receipt.
There is not auth check done, this means anybody can retrieve item info.

Test plan:
With the acquisition => order_receive permission, try to receive an
item.
It should work.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

Very easy to test.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
3.22.x
Jonathan Druart 7 years ago
committed by Tomas Cohen Arazi
parent
commit
ea263a2284
  1. 9
      catalogue/getitem-ajax.pl

9
catalogue/getitem-ajax.pl

@ -21,6 +21,7 @@ use Modern::Perl;
use CGI qw ( -utf8 );
use JSON;
use C4::Auth;
use C4::Biblio;
use C4::Branch;
use C4::Items;
@ -28,6 +29,14 @@ use C4::Koha;
use C4::Output;
my $cgi = new CGI;
my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { acquisition => 'order_receive' } );
unless ($status eq "ok") {
print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
print to_json({ auth_status => $status });
exit 0;
}
my $item = {};
my $itemnumber = $cgi->param('itemnumber');

Loading…
Cancel
Save