Koha/tools/letter.pl
Aleisha Amohia 700b7dfa09 Bug 7862: Preventing warns when creating a notice
To reproduce warns:
1) Go to Tools -> Notices & slips
2) Create a new notice of any module

Notice these warns:
Use of uninitialized value $code in regexp compilation at
/home/vagrant/kohaclone/tools/letter.pl line 265.
Use of uninitialized value $code in regexp compilation at
/home/vagrant/kohaclone/tools/letter.pl line 265.
Use of uninitialized value $code in regexp compilation at
/home/vagrant/kohaclone/tools/letter.pl line 265.

CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_svc_letters_get line 50, this
can lead to vulnerabilities. See the warning in "Fetching the value or
values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
CGI::param called in list context from package
CGI::Compile::ROOT::home_vagrant_kohaclone_svc_letters_get line 50, this
can lead to vulnerabilities. See the warning in "Fetching the value or
values of a single named parameter" at /usr/share/perl5/CGI.pm line 436.

3) Create a new notice of the Circulation module

Notice this additional warn:
Use of uninitialized value $code in pattern match (m//) at
/home/vagrant/kohaclone/tools/letter.pl line 258.

To test:
4) Apply patch and refresh page
5) Run steps 1-3 again and confirm no warns show

Sponsored-by: Catalyst IT
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2019-05-15 12:10:52 +00:00

478 lines
16 KiB
Perl
Executable file

#!/usr/bin/perl
# Copyright 2000-2002 Katipo Communications
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
=head1 tools/letter.pl
ALGO :
this script use an $op to know what to do.
if $op is empty or none of the values listed below,
- the default screen is built (with all or filtered (if search string is set) records).
- the user can click on add, modify or delete record.
- filtering is done on the code field
if $op=add_form
- if primary key (module + code) exists, this is a modification,so we read the required record
- builds the add/modify form
if $op=add_validate
- the user has just send data, so we create/modify the record
if $op=delete_form
- we show the record selected and ask for confirmation
if $op=delete_confirm
- we delete the designated record
=cut
# TODO This script drives the CRUD operations on the letter table
# The DB interaction should be handled by calls to C4/Letters.pm
use Modern::Perl;
use CGI qw ( -utf8 );
use C4::Auth;
use C4::Context;
use C4::Output;
use C4::Letters;
use Koha::Patron::Attribute::Types;
# $protected_letters = protected_letters()
# - return a hashref of letter_codes representing letters that should never be deleted
sub protected_letters {
my $dbh = C4::Context->dbh;
my $codes = $dbh->selectall_arrayref(q{SELECT DISTINCT letter_code FROM message_transports});
return { map { $_->[0] => 1 } @{$codes} };
}
our $input = new CGI;
my $searchfield = $input->param('searchfield');
my $script_name = '/cgi-bin/koha/tools/letter.pl';
our $branchcode = $input->param('branchcode');
$branchcode = '' if defined $branchcode and $branchcode eq '*';
my $code = $input->param('code');
my $module = $input->param('module') || '';
my $content = $input->param('content');
my $op = $input->param('op') || '';
my $redirect = $input->param('redirect');
my $dbh = C4::Context->dbh;
our ( $template, $borrowernumber, $cookie, $staffflags ) = get_template_and_user(
{
template_name => 'tools/letter.tt',
query => $input,
type => 'intranet',
authnotrequired => 0,
flagsrequired => { tools => 'edit_notices' },
debug => 1,
}
);
our $my_branch = C4::Context->preference("IndependentBranches") && !$staffflags->{'superlibrarian'}
? C4::Context->userenv()->{'branch'}
: undef;
# we show only the TMPL_VAR names $op
$template->param(
independant_branch => $my_branch,
script_name => $script_name,
searchfield => $searchfield,
branchcode => $branchcode,
action => $script_name
);
if ( $op eq 'add_validate' or $op eq 'copy_validate' ) {
add_validate();
if( $redirect eq "just_save" ){
print $input->redirect("/cgi-bin/koha/tools/letter.pl?op=add_form&branchcode=$branchcode&module=$module&code=$code&redirect=done");
exit;
} else {
$op = q{}; # we return to the default screen for the next operation
}
}
if ($op eq 'copy_form') {
my $oldbranchcode = $input->param('oldbranchcode') || q||;
my $branchcode = $input->param('branchcode');
add_form($oldbranchcode, $module, $code);
$template->param(
oldbranchcode => $oldbranchcode,
branchcode => $branchcode,
copying => 1,
modify => 0,
);
}
elsif ( $op eq 'add_form' ) {
add_form($branchcode, $module, $code);
}
elsif ( $op eq 'delete_confirm' ) {
delete_confirm($branchcode, $module, $code);
}
elsif ( $op eq 'delete_confirmed' ) {
delete_confirmed($branchcode, $module, $code);
$op = q{}; # next operation is to return to default screen
}
else {
default_display($branchcode,$searchfield);
}
# Do this last as delete_confirmed resets
if ($op) {
$template->param($op => 1);
} else {
$template->param(no_op_set => 1);
}
output_html_with_http_headers $input, $cookie, $template->output;
sub add_form {
my ( $branchcode,$module, $code ) = @_;
my $letters;
# if code has been passed we can identify letter and its an update action
if ($code) {
$letters = C4::Letters::GetLetterTemplates(
{
branchcode => $branchcode,
module => $module,
code => $code,
}
);
}
my $message_transport_types = GetMessageTransportTypes();
my $templates = { map { $_ => { message_transport_type => $_ } } sort @$message_transport_types };
my %letters = ( default => { templates => $templates } );
if ( C4::Context->preference('TranslateNotices') ) {
my $translated_languages =
C4::Languages::getTranslatedLanguages( 'opac',
C4::Context->preference('template') );
for my $language (@$translated_languages) {
for my $sublanguage( @{ $language->{sublanguages_loop} } ) {
if ( $language->{plural} ) {
$letters{ $sublanguage->{rfc4646_subtag} } = {
description => $sublanguage->{native_description}
. ' '
. $sublanguage->{region_description} . ' ('
. $sublanguage->{rfc4646_subtag} . ')',
templates => { %$templates },
};
}
else {
$letters{ $sublanguage->{rfc4646_subtag} } = {
description => $sublanguage->{native_description}
. ' ('
. $sublanguage->{rfc4646_subtag} . ')',
templates => { %$templates },
};
}
}
}
$template->param( languages => $translated_languages );
}
if ($letters) {
$template->param(
modify => 1,
code => $code,
);
my $first_flag_name = 1;
my ( $lang, @templates );
# The letter name is contained into each mtt row.
# So we can only sent the first one to the template.
for my $letter ( @$letters ) {
# The letter_name
if ( $first_flag_name and $letter->{name} ) {
$template->param(
letter_name=> $letter->{name},
);
$first_flag_name = 0;
}
my $lang = $letter->{lang};
my $mtt = $letter->{message_transport_type};
$letters{ $lang }{templates}{$mtt} = {
message_transport_type => $letter->{message_transport_type},
is_html => $letter->{is_html},
title => $letter->{title},
content => $letter->{content} // '',
};
}
}
else {
$template->param( adding => 1 );
}
$template->param(
letters => \%letters,
);
my $field_selection;
push @{$field_selection}, add_fields('branches');
if ($module eq 'reserves') {
push @{$field_selection}, add_fields('borrowers', 'reserves', 'biblio', 'biblioitems', 'items');
}
elsif ( $module eq 'acquisition' ) {
push @{$field_selection}, add_fields('aqbooksellers', 'aqorders', 'biblio', 'items');
}
elsif ($module eq 'claimacquisition' || $module eq 'orderacquisition') {
push @{$field_selection}, add_fields('aqbooksellers', 'aqbasket', 'aqorders', 'biblio', 'biblioitems');
}
elsif ($module eq 'claimissues') {
push @{$field_selection}, add_fields('aqbooksellers', 'serial', 'subscription', 'biblio', 'biblioitems');
}
elsif ($module eq 'serial') {
push @{$field_selection}, add_fields('branches', 'biblio', 'biblioitems', 'borrowers', 'subscription', 'serial');
}
elsif ($module eq 'suggestions') {
push @{$field_selection}, add_fields('suggestions', 'borrowers', 'biblio');
}
else {
push @{$field_selection}, add_fields('biblio','biblioitems'),
add_fields('items'),
{value => 'items.content', text => 'items.content'},
{value => 'items.fine', text => 'items.fine'},
add_fields('borrowers');
if ($module eq 'circulation') {
push @{$field_selection}, add_fields('opac_news');
}
if ( $module eq 'circulation' and $code and $code eq "CHECKIN" ) {
push @{$field_selection}, add_fields('old_issues');
} else {
push @{$field_selection}, add_fields('issues');
}
if ( $module eq 'circulation' and $code and $code =~ /^AR_/ ) {
push @{$field_selection}, add_fields('article_requests');
}
}
my $preview_is_available = 0;
if ($code) {
$preview_is_available = grep {/^$code$/} qw( CHECKIN CHECKOUT HOLD_SLIP );
}
$template->param(
module => $module,
SQLfieldnames => $field_selection,
branchcode => $branchcode,
preview_is_available => $preview_is_available,
);
return;
}
sub add_validate {
my $dbh = C4::Context->dbh;
my $branchcode = $input->param('branchcode');
my $module = $input->param('module');
my $oldmodule = $input->param('oldmodule');
my $code = $input->param('code');
my $name = $input->param('name');
my @mtt = $input->multi_param('message_transport_type');
my @title = $input->multi_param('title');
my @content = $input->multi_param('content');
my @lang = $input->multi_param('lang');
for my $mtt ( @mtt ) {
my $is_html = $input->param("is_html_$mtt");
my $title = shift @title;
my $content = shift @content;
my $lang = shift @lang;
my $letter = C4::Letters::getletter( $oldmodule, $code, $branchcode, $mtt, $lang );
# getletter can return the default letter even if we pass a branchcode
# If we got the default one and we needed the specific one, we didn't get the one we needed!
if ( $letter and $branchcode and $branchcode ne $letter->{branchcode} ) {
$letter = undef;
}
unless ( $title and $content ) {
# Delete this mtt if no title or content given
delete_confirmed( $branchcode, $oldmodule, $code, $mtt, $lang );
next;
}
elsif ( $letter and $letter->{message_transport_type} eq $mtt and $letter->{lang} eq $lang ) {
$dbh->do(
q{
UPDATE letter
SET branchcode = ?, module = ?, name = ?, is_html = ?, title = ?, content = ?, lang = ?
WHERE branchcode = ? AND module = ? AND code = ? AND message_transport_type = ? AND lang = ?
},
undef,
$branchcode || '', $module, $name, $is_html || 0, $title, $content, $lang,
$branchcode, $oldmodule, $code, $mtt, $lang
);
} else {
$dbh->do(
q{INSERT INTO letter (branchcode,module,code,name,is_html,title,content,message_transport_type, lang) VALUES (?,?,?,?,?,?,?,?,?)},
undef,
$branchcode || '', $module, $code, $name, $is_html || 0, $title, $content, $mtt, $lang
);
}
}
# set up default display
default_display($branchcode);
return 1;
}
sub delete_confirm {
my ($branchcode, $module, $code) = @_;
my $dbh = C4::Context->dbh;
my $letter = C4::Letters::getletter($module, $code, $branchcode);
my @values = values %$letter;
$template->param(
letter => $letter,
);
return;
}
sub delete_confirmed {
my ($branchcode, $module, $code, $mtt, $lang) = @_;
C4::Letters::DelLetter(
{
branchcode => $branchcode || '',
module => $module,
code => $code,
mtt => $mtt,
lang => $lang,
}
);
# setup default display for screen
default_display($branchcode);
return;
}
sub retrieve_letters {
my ($branchcode, $searchstring) = @_;
$branchcode = $my_branch if $branchcode && $my_branch;
my $dbh = C4::Context->dbh;
my ($sql, @where, @args);
$sql = "SELECT branchcode, module, code, name, branchname
FROM letter
LEFT OUTER JOIN branches USING (branchcode)
";
if ($searchstring && $searchstring=~m/(\S+)/) {
$searchstring = $1 . q{%};
push @where, 'code LIKE ?';
push @args, $searchstring;
}
elsif ($branchcode) {
push @where, 'branchcode = ?';
push @args, $branchcode || '';
}
elsif ($my_branch) {
push @where, "(branchcode = ? OR branchcode = '')";
push @args, $my_branch;
}
$sql .= " WHERE ".join(" AND ", @where) if @where;
$sql .= " GROUP BY branchcode,module,code,name,branchname";
$sql .= " ORDER BY module, code, branchcode";
return $dbh->selectall_arrayref($sql, { Slice => {} }, @args);
}
sub default_display {
my ($branchcode, $searchfield) = @_;
unless ( defined $branchcode ) {
if ( C4::Context->preference('DefaultToLoggedInLibraryNoticesSlips') ) {
$branchcode = C4::Context::mybranch();
}
}
if ( $searchfield ) {
$template->param( search => 1 );
}
my $results = retrieve_letters($branchcode,$searchfield);
my $loop_data = [];
my $protected_letters = protected_letters();
foreach my $row (@{$results}) {
$row->{protected} = !$row->{branchcode} && $protected_letters->{ $row->{code} };
push @{$loop_data}, $row;
}
$template->param(
letter => $loop_data,
branchcode => $branchcode,
);
}
sub add_fields {
my @tables = @_;
my @fields = ();
for my $table (@tables) {
push @fields, get_columns_for($table);
}
return @fields;
}
sub get_columns_for {
my $table = shift;
# FIXME untranslatable
my %column_map = (
aqbooksellers => '---BOOKSELLERS---',
aqorders => '---ORDERS---',
serial => '---SERIALS---',
reserves => '---HOLDS---',
suggestions => '---SUGGESTIONS---',
);
my @fields = ();
if (exists $column_map{$table} ) {
push @fields, {
value => q{},
text => $column_map{$table} ,
};
}
else {
my $tlabel = '---' . uc $table;
$tlabel.= '---';
push @fields, {
value => q{},
text => $tlabel,
};
}
my $sql = "SHOW COLUMNS FROM $table";# TODO not db agnostic
my $table_prefix = $table . q|.|;
my $rows = C4::Context->dbh->selectall_arrayref($sql, { Slice => {} });
for my $row (@{$rows}) {
next if $row->{'Field'} eq 'timestamp'; # this is really an irrelevant field and there may be other common fields that should be excluded from the list
push @fields, {
value => $table_prefix . $row->{Field},
text => $table_prefix . $row->{Field},
}
}
if ($table eq 'borrowers') {
my $attribute_types = Koha::Patron::Attribute::Types->search(
{},
{ order_by => 'code' },
);
while ( my $at = $attribute_types->next ) {
push @fields, {
value => "borrower-attribute:" . $at->code,
text => "attribute:" . $at->code,
}
}
}
return @fields;
}