Bug 24879: Add check_cookie_auth when missing

This can certainly be improved to adjust the permissions, but at least
they are no longer opened to the world..

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

acqui/check_uniqueness.pl

@@ -37,6 +37,13 @@ use C4::Output qw( output_with_http_headers );
 use C4::Items qw( SearchItems );
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my @field = $input->multi_param('field[]');
 my @value = $input->multi_param('value[]');
 

catalogue/image.pl

@@ -33,6 +33,13 @@ use Koha::CoverImages;
 $| = 1;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $imagenumber;
 
 =head1 NAME

cataloguing/plugin_launcher.pl

@@ -19,10 +19,18 @@
 
 use Modern::Perl;
 use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
 
 use Koha::FrameworkPlugin;
 
 my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $plugin= Koha::FrameworkPlugin->new( {
     name => scalar $input->param("plugin_name"),
 });

cataloguing/value_builder/barcode.pl

@@ -29,6 +29,16 @@ use Koha::DateUtils qw( dt_from_string );
 
 use Algorithm::CheckDigits qw( CheckDigits );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};

cataloguing/value_builder/barcode_manual.pl

@@ -27,6 +27,16 @@ use C4::Barcodes::ValueBuilder;
 use C4::Biblio qw( GetMarcFromKohaField );
 use Koha::DateUtils qw( dt_from_string );
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};

cataloguing/value_builder/dateaccessioned.pl

@@ -21,6 +21,16 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};

cataloguing/value_builder/marc21_field_005.pl

@@ -21,6 +21,16 @@
 
 use Modern::Perl;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};

cataloguing/value_builder/marc21_field_245h.pl

@@ -20,7 +20,17 @@
 # along with Koha; if not, see <http://www.gnu.org/licenses>.
 
 use Modern::Perl;
-use C4::Context;
+
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 
 my $builder = sub {
     my ( $params ) = @_;

cataloguing/value_builder/marc21_field_260b.pl

@@ -27,6 +27,16 @@ biblioitems.publishercode
 use Modern::Perl;
 use C4::Context;
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     my $function_name = $params->{id};

cataloguing/value_builder/marc21_orgcode.pl

@@ -24,6 +24,15 @@ use Modern::Perl;
 use C4::Context;
 
 use Koha::Libraries;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;

cataloguing/value_builder/stocknumber.pl

@@ -21,6 +21,15 @@
 
 use Modern::Perl;
 use C4::Context;
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $builder = sub {
     my ( $params ) = @_;

cataloguing/value_builder/upload.pl

@@ -30,6 +30,16 @@ use Modern::Perl;
 # the possibility to delete the uploaded file. If the field is empty, you
 # can upload a new file.
 
+use CGI qw ( -utf8 );
+use C4::Auth qw( check_cookie_auth );
+my $input = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $input->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $input->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $builder = sub {
     my ( $params ) = @_;
     return <<"SCRIPT";

labels/label-create-csv.pl

@@ -26,6 +26,12 @@ use Text::CSV_XS;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;

labels/label-create-xml.pl

@@ -26,6 +26,12 @@ use XML::Simple;
 use C4::Labels;
 
 my $cgi = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $cgi->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $cgi->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
 
 my $batch_id;
 my @label_ids;

serials/lateissues-export.pl

@@ -27,6 +27,13 @@ use Koha::CsvProfiles;
 use Text::CSV_XS;
 
 my $query = CGI->new;
+my ($auth_status) =
+    check_cookie_auth( $query->cookie('CGISESSID'), { catalogue => 1 } );
+if ( $auth_status ne "ok" ) {
+    print $query->header( -type => 'text/plain', -status => '403 Forbidden' );
+    exit 0;
+}
+
 my $supplierid = $query->param('supplierid');
 my @serialids = $query->multi_param('serialid');
 my $op = $query->param('op') || q{};