Koha/admin/edi_accounts.pl
Kyle Hall 40b1b61cbf
Bug 30649: Vendor EDI account passwords should be encrypted in the database
We are storing edi vendor acccount passwords in clear text in the
database. Now that Koha has the Koha::Encryption module, we should
use that to encrypt passwords for all existing and new EDI accounts.

Test Plan:
1) Apply this patch
2) Create one or more EDI vendor accounts
3) Run a report to view the account passwords, note they are in clear
   text
4) Run updatedatabase.pl
5) Re-run the report, account passwords should be encrypted now
6) Edit a vendor EDI account, note you can still view and update the
   password for an account

Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2023-05-15 18:23:49 -03:00

173 lines
5.2 KiB
Perl
Executable file

#!/usr/bin/perl
# Copyright 2011,2014 Mark Gavillet & PTFS Europe Ltd
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use CGI;
use C4::Auth qw( get_template_and_user );
use C4::Output qw( output_html_with_http_headers );
use Koha::Database;
use Koha::Encryption;
use Koha::Plugins;
our $input = CGI->new();
our $schema = Koha::Database->new()->schema();
our ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{
template_name => 'admin/edi_accounts.tt',
query => $input,
type => 'intranet',
flagsrequired => { acquisition => 'edi_manage' },
}
);
my $crypt = Koha::Encryption->new;
my $op = $input->param('op');
$op ||= 'display';
if ( $op eq 'acct_form' ) {
show_account($crypt);
$template->param( acct_form => 1 );
my @vendors = $schema->resultset('Aqbookseller')->search(
undef,
{
columns => [ 'name', 'id' ],
order_by => { -asc => 'name' }
}
);
$template->param( vendors => \@vendors );
if ( C4::Context->config("enable_plugins") ) {
my @plugins = Koha::Plugins->new()->GetPlugins({
method => 'edifact',
});
$template->param( plugins => \@plugins );
}
}
elsif ( $op eq 'delete_confirm' ) {
show_account();
$template->param( delete_confirm => 1 );
}
else {
if ( $op eq 'save' ) {
# validate & display
my $id = $input->param('id');
my $password = scalar $input->param('password');
$password = $crypt->encrypt_hex($password);
my $fields = {
description => scalar $input->param('description'),
host => scalar $input->param('host'),
username => scalar $input->param('username'),
password => $password,
vendor_id => scalar $input->param('vendor_id'),
upload_directory => scalar $input->param('upload_directory'),
download_directory => scalar $input->param('download_directory'),
san => scalar $input->param('san'),
standard => scalar $input->param('standard'),
transport => scalar $input->param('transport'),
quotes_enabled => $input->param('quotes_enabled') ? 1 : 0,
invoices_enabled => $input->param('invoices_enabled') ? 1 : 0,
orders_enabled => $input->param('orders_enabled') ? 1 : 0,
responses_enabled => $input->param('responses_enabled') ? 1 : 0,
auto_orders => $input->param('auto_orders') ? 1 : 0,
id_code_qualifier => scalar $input->param('id_code_qualifier'),
plugin => scalar $input->param('plugin'),
};
if ($id) {
$schema->resultset('VendorEdiAccount')->search(
{
id => $id,
}
)->update_all($fields);
}
else { # new record
$schema->resultset('VendorEdiAccount')->create($fields);
}
}
elsif ( $op eq 'delete_confirmed' ) {
$schema->resultset('VendorEdiAccount')
->search( { id => scalar $input->param('id'), } )->delete_all;
}
# we do a default dispaly after deletes and saves
# as well as when thats all you want
$template->param( display => 1 );
my @ediaccounts = $schema->resultset('VendorEdiAccount')->search(
{},
{
join => 'vendor',
}
);
$template->param( ediaccounts => \@ediaccounts );
}
$template->param(
code_qualifiers => [
{
code => '14',
description => 'EAN International',
},
{
code => '31B',
description => 'US SAN Agency',
},
{
code => '91',
description => 'Assigned by supplier',
},
{
code => '92',
description => 'Assigned by buyer',
},
],
standards => [ 'BIC', 'EUR' ]
);
output_html_with_http_headers( $input, $cookie, $template->output );
sub get_account {
my $id = shift;
my $account = $schema->resultset('VendorEdiAccount')->find($id);
if ($account) {
return $account;
}
# passing undef will default to add
return;
}
sub show_account {
my $crypt = shift;
my $acct_id = $input->param('id');
if ($acct_id) {
my $acct = $schema->resultset('VendorEdiAccount')->find($acct_id);
$acct->password( $crypt->decrypt_hex($acct->password) );
if ($acct) {
$template->param( account => $acct );
}
}
return;
}