Koha/reserve/placerequest.pl
Galen Charlton ede20857ea bug 4816: require authentication for placerequest.pl
Otherwise, it was possible to construct a URL to place
hold requests without authorization.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
2010-05-25 23:30:51 -04:00

131 lines
4.9 KiB
Perl
Executable file

#!/usr/bin/perl
#script to place reserves/requests
#writen 2/1/00 by chris@katipo.oc.nz
# Copyright 2000-2002 Katipo Communications
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
use strict;
use warnings;
use CGI;
use C4::Biblio;
use C4::Items;
use C4::Output;
use C4::Reserves;
use C4::Circulation;
use C4::Members;
use C4::Auth qw/checkauth/;
my $input = CGI->new();
my ($user, $cookie, $sesion_id, $flags) = checkauth($input, 0, { reserveforothers => 'place_holds' }, 'intranet');
my @bibitems=$input->param('biblioitem');
# FIXME I think reqbib does not exist anymore, it's used in line 82, to AddReserve of contraint type 'o'
# I bet it's a 2.x feature, reserving a given biblioitem, that is useless in Koha 3.0
# we can remove this line, the AddReserve of constrainttype 'o',
# and probably remove the reserveconstraint table as well, I never could fill anything in this table.
my @reqbib=$input->param('reqbib');
my $biblionumber=$input->param('biblionumber');
my $borrower=$input->param('member');
my $notes=$input->param('notes');
my $branch=$input->param('pickup');
my $startdate=$input->param('reserve_date') || '';
my @rank=$input->param('rank-request');
my $type=$input->param('type');
my $title=$input->param('title');
my $borrowernumber=GetMember('cardnumber'=>$borrower);
my $checkitem=$input->param('checkitem');
my $expirationdate = $input->param('expiration_date');
my $multi_hold = $input->param('multi_hold');
my $biblionumbers = $multi_hold ? $input->param('biblionumbers') : ($biblionumber . '/');
my $bad_bibs = $input->param('bad_bibs');
my %bibinfos = ();
my @biblionumbers = split '/', $biblionumbers;
foreach my $bibnum (@biblionumbers) {
my %bibinfo = ();
$bibinfo{title} = $input->param("title_$bibnum");
$bibinfo{rank} = $input->param("rank_$bibnum");
$bibinfos{$bibnum} = \%bibinfo;
}
my $found;
# if we have an item selectionned, and the pickup branch is the same as the holdingbranch
# of the document, we force the value $rank and $found .
if ($checkitem ne ''){
$rank[0] = '0' unless C4::Context->preference('ReservesNeedReturns');
my $item = $checkitem;
$item = GetItem($item);
if ( $item->{'holdingbranch'} eq $branch ){
$found = 'W' unless C4::Context->preference('ReservesNeedReturns');
}
}
if ($type eq 'str8' && $borrowernumber ne ''){
foreach my $biblionumber (keys %bibinfos) {
my $count=@bibitems;
@bibitems=sort @bibitems;
my $i2=1;
my @realbi;
$realbi[0]=$bibitems[0];
for (my $i=1;$i<$count;$i++) {
my $i3=$i2-1;
if ($realbi[$i3] ne $bibitems[$i]) {
$realbi[$i2]=$bibitems[$i];
$i2++;
}
}
my $const;
if ($multi_hold) {
my $bibinfo = $bibinfos{$biblionumber};
AddReserve($branch,$borrowernumber->{'borrowernumber'},$biblionumber,'a',[$biblionumber],
$bibinfo->{rank},$startdate,$expirationdate,$notes,$bibinfo->{title},$checkitem,$found);
} else {
if ($input->param('request') eq 'any'){
# place a request on 1st available
AddReserve($branch,$borrowernumber->{'borrowernumber'},$biblionumber,'a',\@realbi,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem,$found);
} elsif ($reqbib[0] ne ''){
# FIXME : elsif probably never reached, (see top of the script)
# place a request on a given item
AddReserve($branch,$borrowernumber->{'borrowernumber'},$biblionumber,'o',\@reqbib,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem, $found);
} else {
AddReserve($branch,$borrowernumber->{'borrowernumber'},$biblionumber,'a',\@realbi,$rank[0],$startdate,$expirationdate,$notes,$title,$checkitem, $found);
}
}
}
if ($multi_hold) {
if ($bad_bibs) {
$biblionumbers .= $bad_bibs;
}
print $input->redirect("request.pl?biblionumbers=$biblionumbers&multi_hold=1");
} else {
print $input->redirect("request.pl?biblionumber=$biblionumber");
}
} elsif ($borrowernumber eq ''){
print $input->header();
print "Invalid card number please try again";
print $input->Dump;
}