Marcel de Rooy
9eb80092e3
This patch makes sure that the added granular permissions work as
advertised.
Note: The field owner was not included in the Koha::Upload->get response.
The code to verify if a user is allowed to delete an upload, is concentrated
in the template now. When get returns a Koha::Object, this check could be
relocated.
Test plan:
[1] Verify that the current user has permission for tools, or has
at least upload_general_files.
[2] Do you see Upload in the Tools menu? Follow the link.
[3] Upload a permanent file (with a category).
[4] Do you see the Delete button in the results form?
[5] Make sure that another user has no permission to upload.
[6] Login as that user and check the Tools menu.
Try the URL [yourserver]/cgi-bin/koha/tools/upload.pl
You should have no access to the upload form.
[7] Enable upload_general_files for this user. Go to upload and search for
the upload from step 3. You should not see a Delete button.
[8] Enable upload_manage for this user. Search for the upload again.
Delete the upload.
[9] Go to upload via the Cataloguing editor (856$u plugin) or add
parameter "plugin=1" to the URL. You should not see the Tools menu.
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
104 lines
3.1 KiB
Prolog
Executable file
104 lines
3.1 KiB
Prolog
Executable file
#!/usr/bin/perl
|
|
|
|
# This file is part of Koha.
|
|
#
|
|
# Copyright (C) 2015 Rijksmuseum
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Koha; if not, see <http://www.gnu.org/licenses>.
|
|
|
|
use Modern::Perl;
|
|
use CGI qw/-utf8/;
|
|
use JSON;
|
|
|
|
use C4::Auth;
|
|
use C4::Output;
|
|
use Koha::Upload;
|
|
|
|
my $input = CGI::->new;
|
|
my $op = $input->param('op') // 'new';
|
|
my $plugin = $input->param('plugin');
|
|
my $index = $input->param('index'); # MARC editor input field id
|
|
my $term = $input->param('term');
|
|
my $id = $input->param('id');
|
|
my $msg = $input->param('msg');
|
|
|
|
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
|
|
{ template_name => "tools/upload.tt",
|
|
query => $input,
|
|
type => "intranet",
|
|
authnotrequired => 0,
|
|
flagsrequired => { tools => 'upload_general_files' },
|
|
}
|
|
);
|
|
|
|
$template->param(
|
|
index => $index,
|
|
owner => $loggedinuser,
|
|
plugin => $plugin,
|
|
);
|
|
|
|
my $upar = $plugin ? { public => 1 } : {};
|
|
if ( $op eq 'new' ) {
|
|
$template->param(
|
|
mode => 'new',
|
|
uploadcategories => Koha::Upload->getCategories,
|
|
);
|
|
output_html_with_http_headers $input, $cookie, $template->output;
|
|
|
|
} elsif ( $op eq 'search' ) {
|
|
my $h = $id ? { id => $id } : { term => $term };
|
|
my @uploads = Koha::Upload->new($upar)->get($h);
|
|
$template->param(
|
|
mode => 'report',
|
|
msg => $msg,
|
|
uploads => \@uploads,
|
|
);
|
|
output_html_with_http_headers $input, $cookie, $template->output;
|
|
|
|
} elsif ( $op eq 'delete' ) {
|
|
# delete only takes the id parameter
|
|
my $upl = Koha::Upload->new($upar);
|
|
my ($fn) = $upl->delete( { id => $id } );
|
|
my $e = $upl->err;
|
|
my $msg =
|
|
$fn ? JSON::to_json( { $fn => 6 } )
|
|
: $e ? JSON::to_json($e)
|
|
: undef;
|
|
$template->param(
|
|
mode => 'deleted',
|
|
msg => $msg,
|
|
uploadcategories => $upl->getCategories,
|
|
);
|
|
output_html_with_http_headers $input, $cookie, $template->output;
|
|
|
|
} elsif ( $op eq 'download' ) {
|
|
my $upl = Koha::Upload->new($upar);
|
|
my $rec = $upl->get( { id => $id, filehandle => 1 } );
|
|
my $fh = $rec->{fh};
|
|
if ( !$rec || !$fh ) {
|
|
$template->param(
|
|
mode => 'new',
|
|
msg => JSON::to_json( { $id => 5 } ),
|
|
uploadcategories => $upl->getCategories,
|
|
);
|
|
output_html_with_http_headers $input, $cookie, $template->output;
|
|
} else {
|
|
my @hdr = $upl->httpheaders( $rec->{name} );
|
|
print Encode::encode_utf8( $input->header(@hdr) );
|
|
while (<$fh>) {
|
|
print $_;
|
|
}
|
|
$fh->close;
|
|
}
|
|
}
|