Koha/members/pay.pl
Aleisha Amohia ddf494b18f Bug 19258: Preventing warns when paying a fine or charge from Pay selected button
The following warns are triggered when I click the Pay selected button:
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line 267,
this can lead to vulnerabilities. See the warning in "Fetching the
value or values of a single named parameter" at
usr/share/perl5/CGI.pm line 436.
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_members_pay_2epl line
273, this can lead to vulnerabilities. See the warning in "Fetching
the value or values of a single named parameter" at
/usr/share/perl5/CGI.pm line 436.

To test:
1) Go to a members detail page in staff side and create a manual
invoice
2) Go to the pay fines tab, select the fine you just created and click
Pay selected
3) Notice warns
4) Apply patch and repeat steps 1 & 2
5) Warns should be gone

Sponsored-by: Catalyst IT

Signed-off-by: Mark Tompsett <mtompset@hotmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-09-07 14:39:09 -03:00

282 lines
8.9 KiB
Perl
Executable file

#!/usr/bin/perl
# Copyright 2000-2002 Katipo Communications
# Copyright 2010 BibLibre
# Copyright 2010,2011 PTFS-Europe Ltd
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
=head1 pay.pl
written 11/1/2000 by chris@katipo.oc.nz
part of the koha library system, script to facilitate paying off fines
=cut
use strict;
use warnings;
use URI::Escape;
use C4::Context;
use C4::Auth;
use C4::Output;
use CGI qw ( -utf8 );
use C4::Members;
use C4::Accounts;
use C4::Stats;
use C4::Koha;
use C4::Overdues;
use C4::Members::Attributes qw(GetBorrowerAttributes);
use Koha::Patrons;
use Koha::Patron::Images;
use Koha::Patron::Categories;
use URI::Escape;
our $input = CGI->new;
my $updatecharges_permissions = $input->param('woall') ? 'writeoff' : 'remaining_permissions';
our ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{ template_name => 'members/pay.tt',
query => $input,
type => 'intranet',
authnotrequired => 0,
flagsrequired => { borrowers => 1, updatecharges => $updatecharges_permissions },
debug => 1,
}
);
my @names = $input->param;
our $borrowernumber = $input->param('borrowernumber');
if ( !$borrowernumber ) {
$borrowernumber = $input->param('borrowernumber0');
}
# get borrower details
my $patron = Koha::Patrons->find( $borrowernumber );
unless ( $patron ) {
print $input->redirect("/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber");
exit;
}
my $category = $patron->category;
our $borrower = $patron->unblessed;
$borrower->{description} = $category->description;
$borrower->{category_type} = $category->category_type;
our $user = $input->remote_user;
$user ||= q{};
our $branch = C4::Context->userenv->{'branch'};
my $writeoff_item = $input->param('confirm_writeoff');
my $paycollect = $input->param('paycollect');
if ($paycollect) {
print $input->redirect(
"/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber");
}
my $payselected = $input->param('payselected');
if ($payselected) {
payselected(@names);
}
my $writeoff_all = $input->param('woall'); # writeoff all fines
if ($writeoff_all) {
writeoff_all(@names);
} elsif ($writeoff_item) {
my $accountlines_id = $input->param('accountlines_id');
my $amount = $input->param('amountoutstanding');
my $payment_note = $input->param("payment_note");
Koha::Account->new( { patron_id => $borrowernumber } )->pay(
{
amount => $amount,
lines => [ scalar Koha::Account::Lines->find($accountlines_id) ],
type => 'writeoff',
note => $payment_note,
library_id => $branch,
}
);
}
for (@names) {
if (/^pay_indiv_(\d+)$/) {
my $line_no = $1;
redirect_to_paycollect( 'pay_individual', $line_no );
} elsif (/^wo_indiv_(\d+)$/) {
my $line_no = $1;
redirect_to_paycollect( 'writeoff_individual', $line_no );
}
}
$template->param(
finesview => 1,
RoutingSerials => C4::Context->preference('RoutingSerials'),
);
add_accounts_to_template();
output_html_with_http_headers $input, $cookie, $template->output;
sub add_accounts_to_template {
my ( $total, undef, undef ) = GetMemberAccountRecords($borrowernumber);
my $accounts = [];
my @notify = NumberNotifyId($borrowernumber);
my $notify_groups = [];
for my $notify_id (@notify) {
my ( $acct_total, $accountlines, undef ) =
GetBorNotifyAcctRecord( $borrowernumber, $notify_id );
if ( @{$accountlines} ) {
my $totalnotify = AmountNotify( $notify_id, $borrowernumber );
push @{$accounts},
{ accountlines => $accountlines,
notify => $notify_id,
total => $totalnotify,
};
}
}
borrower_add_additional_fields($borrower);
$template->param(%$borrower);
my $patron_image = Koha::Patron::Images->find($borrower->{borrowernumber});
$template->param( picture => 1 ) if $patron_image;
$template->param(
accounts => $accounts,
borrower => $borrower,
categoryname => $borrower->{'description'},
total => $total,
);
return;
}
sub get_for_redirect {
my ( $name, $name_in, $money ) = @_;
my $s = q{&} . $name . q{=};
my $value;
if (defined $input->param($name_in)) {
$value = uri_escape_utf8( scalar $input->param($name_in) );
}
if ( !defined $value ) {
$value = ( $money == 1 ) ? 0 : q{};
}
if ($money) {
$s .= sprintf '%.2f', $value;
} else {
$s .= $value;
}
return $s;
}
sub redirect_to_paycollect {
my ( $action, $line_no ) = @_;
my $redirect =
"/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber";
$redirect .= q{&};
$redirect .= "$action=1";
$redirect .= get_for_redirect( 'accounttype', "accounttype$line_no", 0 );
$redirect .= get_for_redirect( 'amount', "amount$line_no", 1 );
$redirect .=
get_for_redirect( 'amountoutstanding', "amountoutstanding$line_no", 1 );
$redirect .= get_for_redirect( 'description', "description$line_no", 0 );
$redirect .= get_for_redirect( 'title', "title$line_no", 0 );
$redirect .= get_for_redirect( 'itemnumber', "itemnumber$line_no", 0 );
$redirect .= get_for_redirect( 'notify_id', "notify_id$line_no", 0 );
$redirect .= get_for_redirect( 'notify_level', "notify_level$line_no", 0 );
$redirect .= get_for_redirect( 'accountlines_id', "accountlines_id$line_no", 0 );
$redirect .= q{&} . 'payment_note' . q{=} . uri_escape_utf8( scalar $input->param("payment_note_$line_no") );
$redirect .= '&remote_user=';
$redirect .= $user;
return print $input->redirect($redirect);
}
sub writeoff_all {
my @params = @_;
my @wo_lines = grep { /^accountlines_id\d+$/ } @params;
my $borrowernumber = $input->param('borrowernumber');
for (@wo_lines) {
if (/(\d+)/) {
my $value = $1;
my $amount = $input->param("amountoutstanding$value");
my $accountlines_id = $input->param("accountlines_id$value");
my $payment_note = $input->param("payment_note_$value");
Koha::Account->new( { patron_id => $borrowernumber } )->pay(
{
amount => $amount,
lines => [ scalar Koha::Account::Lines->find($accountlines_id) ],
type => 'writeoff',
note => $payment_note,
library_id => $branch,
}
);
}
}
print $input->redirect("/cgi-bin/koha/members/boraccount.pl?borrowernumber=$borrowernumber");
return;
}
sub borrower_add_additional_fields {
my $b_ref = shift;
# some borrower info is not returned in the standard call despite being assumed
# in a number of templates. It should not be the business of this script but in lieu of
# a revised api here it is ...
if ( $b_ref->{category_type} eq 'C' ) {
my $patron_categories = Koha::Patron::Categories->search_limited({ category_type => 'A' }, {order_by => ['categorycode']});
$template->param( 'CATCODE_MULTI' => 1) if $patron_categories->count > 1;
$template->param( 'catcode' => $patron_categories->next ) if $patron_categories->count == 1;
} elsif ( $b_ref->{category_type} eq 'A' || $b_ref->{category_type} eq 'I' ) {
$b_ref->{adultborrower} = 1;
}
if (C4::Context->preference('ExtendedPatronAttributes')) {
$b_ref->{extendedattributes} = GetBorrowerAttributes($borrowernumber);
$template->param(
ExtendedPatronAttributes => 1,
);
}
return;
}
sub payselected {
my @params = @_;
my $amt = 0;
my @lines_to_pay;
foreach (@params) {
if (/^incl_par_(\d+)$/) {
my $index = $1;
push @lines_to_pay, scalar $input->param("accountlines_id$index");
$amt += $input->param("amountoutstanding$index");
}
}
$amt = '&amt=' . $amt;
my $sel = '&selected=' . join ',', @lines_to_pay;
my $notes = '&notes=' . join("%0A", map { scalar $input->param("payment_note_$_") } @lines_to_pay );
my $redirect =
"/cgi-bin/koha/members/paycollect.pl?borrowernumber=$borrowernumber"
. $amt
. $sel
. $notes;
print $input->redirect($redirect);
return;
}