Jonathan Druart
11bf7e7bef
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change or delete patrons' images /tools/picture-upload.pl?op=Delete&borrowernumber=42 Test plan: 1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42 And confirm that you get a "Wrong CSRF token" error 2/ Go on the patron detail page with a patron's image 3/ Click on the Delete link (note the csrf_token param) 4/ The image will be deleted and you are redirected to the patron detail page. Regression tests: Upload an image from the patron detail page and from the "upload patron images" tool. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
160 lines
8.9 KiB
Text
160 lines
8.9 KiB
Text
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Tools › Upload patron images</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
<script type="text/javascript">
|
|
$(document).ready(function() {
|
|
$("#zipfile").click(function(){
|
|
$("#cardnum").hide();
|
|
});
|
|
$("#image").click(function(){
|
|
$("#cardnum").show();
|
|
});
|
|
$( "#upload_form" ).validate({
|
|
rules: {
|
|
cardnumber: {
|
|
required: {
|
|
depends: function(element) {
|
|
return $("#image").is(":checked");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
});
|
|
});
|
|
</script>
|
|
</head>
|
|
<body id="tools_picture-upload" class="tools">
|
|
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'patron-search.inc' %]
|
|
|
|
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/tools/tools-home.pl">Tools</a> › [% IF ( TOTAL ) %]<a href="/cgi-bin/koha/tools/picture-upload.pl">Upload patron images</a> › Results[% ELSE %]Upload patron images[% END %] </div>
|
|
|
|
<div id="doc3" class="yui-t2">
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
[% IF ( TOTAL ) %]
|
|
<div class="yui-b">
|
|
[% IF ( ERRORS ) %]
|
|
[% IF ( TCOUNTS ) %]
|
|
<div class="dialog alert">
|
|
<h3>Patron image(s) uploaded with some errors</h3>
|
|
</div>
|
|
[% ELSE %]
|
|
<div class="dialog alert">
|
|
<h3>Patron image failed to upload</h3>
|
|
</div>
|
|
[% END %]
|
|
[% ELSE %]
|
|
<div class="dialog message">
|
|
<h3>Patron image(s) successfully uploaded</h3>
|
|
</div>
|
|
[% END %]
|
|
<ul class="data">
|
|
<li>Unpacking completed</li>
|
|
<li>[% TOTAL %] directories scanned.</li>
|
|
<li>[% HANDLED %] directories processed.</li>
|
|
</ul>
|
|
|
|
[% FOREACH COUNT IN COUNTS %]
|
|
<div class="container">
|
|
<table>
|
|
<caption>Results</caption>
|
|
<thead>
|
|
<tr><th>File name</th><th>Card number</th><th>Result</th></tr>
|
|
</thead>
|
|
<tbody>
|
|
[% IF ( COUNT.TCOUNTS ) %]<li>[% COUNT.TCOUNTS %] image(s) moved into the database:</li>[% END %]
|
|
[% FOREACH filename IN COUNT.filenames %]
|
|
<tr>
|
|
<td>[% filename.source | html %]</td>
|
|
<td><a href="/cgi-bin/koha/circ/circulation.pl?findborrower=[% filename.cardnumber | url %]">[% filename.cardnumber | html %]</a></td>
|
|
<td>
|
|
[% IF ( filename.filerrors ) %]
|
|
[% FOREACH filerror IN filename.filerrors %]
|
|
[% IF ( filerror.DBERR ) %]<b>ERROR:</b> Image not imported because the database returned an error. Please refer to the error log for more details.
|
|
[% ELSIF ( filerror.IMGEXISTS ) %]<b>ERROR:</b> Image not imported because this patron does not exist in the database.
|
|
[% ELSIF ( filerror.MIMERR ) %]<b>ERROR:</b> Image not imported because the image format is unrecognized.
|
|
[% ELSIF ( filerror.CORERR ) %]<b>ERROR:</b> Image not imported because the image file is corrupted.
|
|
[% ELSIF ( filerror.OPNERR ) %]<b>ERROR:</b> Image not imported because Koha was unable to open the image for reading.
|
|
[% ELSIF ( filerror.OVRSIZ ) %]<b>ERROR:</b> Image not imported because the image file is too big (see online help for maximum size).
|
|
[% ELSIF ( filerror.CRDFIL ) %]<b>ERROR:</b> Image not imported ([% filerror.CRDFIL %] missing).
|
|
[% ELSIF ( filerror.CARDNUMBER_DOES_NOT_EXIST ) %]<b>ERROR:</b> Image not imported because this patron does not exist in the database.
|
|
[% ELSE %]<b>ERROR:</b> Image not imported because of an unknown error. Please refer to the error log for more details.
|
|
[% END %]
|
|
[% END %]
|
|
[% ELSE %] imported successfully.
|
|
[% END %]</td>
|
|
</tr>
|
|
[% END %]
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
[% END %]
|
|
<ul>
|
|
[% IF ( borrowernumber ) %]
|
|
<li><a id="member" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Return to patron detail</a></li>
|
|
[% ELSE %]
|
|
<li><a id="uploadmore" href="/cgi-bin/koha/tools/picture-upload.pl">Upload more images</a></li>
|
|
<li><a id="doneupload" href="/cgi-bin/koha/tools/tools-home.pl">Return to tools</a></li>
|
|
[% END %]</ul>
|
|
</div>
|
|
[% ELSE %]
|
|
<div class="yui-b">
|
|
<h1>Upload patron images</h1>
|
|
[% IF ( ERRORS ) %]
|
|
<div class="dialog alert">
|
|
[% FOREACH ERROR IN ERRORS %]
|
|
[% IF ( ERROR.NOTZIP ) %]<li><b>The upload file does not appear to be a zip file. The extension is not '.zip'.</b></li>
|
|
[% ELSIF ( ERROR.NOWRITETEMP ) %]<li><b>This script is not able to create/write to the necessary temporary directory.</b></li>
|
|
[% ELSIF ( ERROR.EMPTYUPLOAD ) %]<li><b>The upload file appears to be empty.</b></li>
|
|
[% ELSIF ( ERROR.OPNLINK ) %]<li><b>Cannot open [% ERROR.OPNLINK %] to read.<br />Please verify that it exists.</b></li>
|
|
[% ELSIF ( ERROR.OPNIMG ) %]<li><b>Cannot open [% ERROR.OPNIMG %] to read.<br />Please verify that it exists.</b></li>
|
|
[% ELSIF ( ERROR.DELERR ) %]<li><b>Unrecognized or missing field delimiter.<br />Please verify that you are using either a single quote or a tab.</b></li>
|
|
[% ELSIF ( ERROR.UZIPFAIL ) %]<li><b>[% ERROR.UZIPFAIL %] failed to unpack.<br />Please verify the integrity of the ZIP file and retry.</b></li>
|
|
[% ELSE %]<li><b>[% ERROR.CORERR %] An unknown error has occurred.<br />Please review the error log for more details.</b></li>[% END %]
|
|
[% END %]
|
|
</div>
|
|
[% END %]
|
|
<form method="post" action="/cgi-bin/koha/tools/picture-upload.pl" enctype="multipart/form-data" id="upload_form">
|
|
<fieldset class="rows">
|
|
<p><b>NOTE:</b> Only PNG, GIF, JPEG, XPM formats are supported.</p>
|
|
<ol class="radio">
|
|
<li>
|
|
<label for="zipfile"><input type="radio" id="zipfile" name="filetype" value="zip" checked="checked" /> Zip file</label></li>
|
|
<li>
|
|
<label for="image">
|
|
[% IF ( filetype == 'image' ) %]<input type="radio" id="image" name="filetype" value="image" checked="checked" />[% ELSE %]<input type="radio" id="image" name="filetype" value="image" />[% END %] Image file</label>
|
|
</li>
|
|
[% IF ( filetype == 'image' ) %]
|
|
<li id="cardnum">
|
|
[% ELSE %]
|
|
<li id="cardnum" style="display: none">
|
|
[% END %]
|
|
<label for="cardnumber">Enter patron cardnumber: </label>
|
|
<input type="text" id="cardnumber" name="cardnumber" value="[% cardnumber %]" size="15" />
|
|
<span class="required">Required</span>
|
|
</li>
|
|
<li class="required">
|
|
<label for="uploadfile">Select the file to upload: </label>
|
|
<input type="file" id="uploadfile" name="uploadfile" class="required" required="required" />
|
|
<span class="required">Required</span>
|
|
</li>
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="hidden" name="csrf_token" value="[% csrf_token %]" />
|
|
<input type="hidden" name="op" value="Upload" />
|
|
<input type="submit" value="Upload" class="submit" />
|
|
<a href="/cgi-bin/koha/tools/tools-home.pl" class="cancel">Cancel</a>
|
|
</fieldset>
|
|
</form>
|
|
|
|
</div>
|
|
[% END %]
|
|
</div>
|
|
<div class="yui-b noprint">
|
|
[% INCLUDE 'tools-menu.inc' %]
|
|
</div>
|
|
</div>
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|