f8ce3d88b1
The MARC Preview feature in the Staff client (catalogue/showmarc.pl) does not check whether a user is logged in or not. As a consequence, it can be used to obtain information that would normally be available to logged-in users only. For example, you can view any bibliographic record by passing a value to the 'id' argument, but you can also view records as they were imported (normally done via the 'Staged MARC management' tool). All three 17.11 installations currently listed at https://wiki.koha-community.org/wiki/Koha_Demo_Installations are affected by this issue, as demonstrated by the URLs below: http://koha.adminkuhn.ch:8080/cgi-bin/koha/catalogue/showmarc.pl?importid=1&viewas=html http://pro.demo1711-koha.test.biblibre.eu/cgi-bin/koha/catalogue/showmarc.pl?id=1000&viewas=html https://staff-kohademo.equinoxinitiative.org/cgi-bin/koha/catalogue/showmarc.pl?id=1&viewas=html It should be noted that this only applies to XSLT-enabled installations. Signed-off-by: Mark Tompsett <mtompset@hotmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
85 lines
2.5 KiB
Perl
Executable file
85 lines
2.5 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
# Koha library project www.koha-community.org
|
|
|
|
# Copyright 2007 Liblime
|
|
# Parts copyright 2010 BibLibre
|
|
#
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it under the
|
|
# terms of the GNU General Public License as published by the Free Software
|
|
# Foundation; either version 3 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
|
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along
|
|
# with Koha; if not, write to the Free Software Foundation, Inc.,
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
use Modern::Perl;
|
|
|
|
# standard or CPAN modules used
|
|
use CGI qw(:standard -utf8);
|
|
use DBI;
|
|
use Encode;
|
|
|
|
# Koha modules used
|
|
use C4::Context;
|
|
use C4::Output;
|
|
use C4::Auth;
|
|
use C4::Biblio;
|
|
use C4::ImportBatch;
|
|
use C4::XSLT ();
|
|
|
|
my $input= new CGI;
|
|
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
|
|
{
|
|
template_name => "catalogue/showmarc.tt",
|
|
query => $input,
|
|
type => "intranet",
|
|
authnotrequired => 0,
|
|
flagsrequired => { catalogue => 1 },
|
|
debug => 1,
|
|
}
|
|
);
|
|
|
|
my $biblionumber= $input->param('id');
|
|
my $importid= $input->param('importid');
|
|
my $view= $input->param('viewas')||'';
|
|
|
|
my $record;
|
|
if ($importid) {
|
|
$record = C4::ImportBatch::GetRecordFromImportBiblio( $importid, 'embed_items' );
|
|
}
|
|
else {
|
|
$record =GetMarcBiblio({ biblionumber => $biblionumber });
|
|
}
|
|
if(!ref $record) {
|
|
print $input->redirect("/cgi-bin/koha/errors/404.pl");
|
|
exit;
|
|
}
|
|
|
|
if($view eq 'card' || $view eq 'html') {
|
|
my $xml = $importid ? $record->as_xml(): GetXmlBiblio($biblionumber);
|
|
my $xsl;
|
|
if ( $view eq 'card' ){
|
|
$xsl = C4::Context->preference('marcflavour') eq 'UNIMARC'
|
|
? 'UNIMARC_compact.xsl' : 'compact.xsl';
|
|
}
|
|
else {
|
|
$xsl = 'plainMARC.xsl';
|
|
}
|
|
my $htdocs = C4::Context->config('intrahtdocs');
|
|
my ($theme, $lang) = C4::Templates::themelanguage($htdocs, $xsl, 'intranet', $input);
|
|
$xsl = "$htdocs/$theme/$lang/xslt/$xsl";
|
|
print $input->header(-charset => 'UTF-8'),
|
|
Encode::encode_utf8(C4::XSLT::engine->transform($xml, $xsl));
|
|
}
|
|
else {
|
|
$template->param( MARC_FORMATTED => $record->as_formatted );
|
|
output_html_with_http_headers $input, $cookie, $template->output;
|
|
}
|