Koha/opac/opac-showmarc.pl
Mark Tompsett 9a76781f9e Bug 20083: (follow-up) use same logic in opac-showmarc
It was correctly pointed out that opac-showmarc would leak
the same way as catalogue/showmarc.pl, and so this patch
moves the authentication step up to the top where it
should be so as to prevent inappropriate data leaks.

TEST PLAN
---------
1) Set your OpacPublic system preference to Disabled
2) Open your OPAC and login
3) Find a biblio with items
4) Go to the opac details, particularly MARC view.
5) Copy the "view plain" shortcut link.
6) log out.
7) Paste the link into the address bar.
   -- the information will leak!
8) apply the patch
9) restart_all
10) Refresh the OPAC link
    -- log in screen will appear.
11) run koha qa test tools

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-04-04 15:45:34 -03:00

83 lines
2.5 KiB
Perl
Executable file

#!/usr/bin/perl
# Copyright 2007 Liblime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
# standard or CPAN modules used
use CGI qw ( -utf8 );
use Encode;
# Koha modules used
use C4::Context;
use C4::Output;
use C4::Auth;
use C4::Biblio;
use C4::ImportBatch;
use C4::XSLT ();
use C4::Templates;
use Koha::RecordProcessor;
my $input = new CGI;
my ( $template, $loggedinuser, $cookie ) = get_template_and_user({
template_name => "opac-showmarc.tt",
query => $input,
type => "opac",
authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
debug => 1,
});
my $biblionumber = $input->param('id');
$biblionumber = int($biblionumber);
my $importid= $input->param('importid');
my $view= $input->param('viewas') || 'marc';
my $record_processor = Koha::RecordProcessor->new({ filters => 'ViewPolicy' });
my $record;
if ($importid) {
my ($marc) = GetImportRecordMarc($importid);
$record = MARC::Record->new_from_usmarc($marc);
}
else {
$record = GetMarcBiblio({ biblionumber => $biblionumber });
my $framework = GetFrameworkCode($biblionumber);
$record_processor->options({
interface => 'opac',
frameworkcode => $framework
});
}
if(!ref $record) {
print $input->redirect("/cgi-bin/koha/errors/404.pl");
exit;
}
$record_processor->process($record);
if ($view eq 'card' || $view eq 'html') {
my $xml = $record->as_xml;
my $xsl = $view eq 'card' ? 'compact.xsl' : 'plainMARC.xsl';
my $htdocs = C4::Context->config('opachtdocs');
my ($theme, $lang) = C4::Templates::themelanguage($htdocs, $xsl, 'opac', $input);
$xsl = "$htdocs/$theme/$lang/xslt/$xsl";
output_html_with_http_headers $input, undef, Encode::encode_utf8(C4::XSLT::engine->transform($xml, $xsl));
}
else { #view eq marc
$template->param( MARC_FORMATTED => $record->as_formatted );
output_html_with_http_headers $input, $cookie, $template->output;
}