From 72fa33490b71d91658c32493c687b1c5a37dc1df Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 8 Feb 2022 12:12:22 +0100 Subject: [PATCH] Bug 30045: (bug 29543 follow-up) Fix SCO print slip Certainly since bug 29543 and bug 29914. We should do the same authentication check than sco-main.pl, and also make sure to generate the checkout history only for the logged in patron (the OPAC one, not staff member) Test plan: Use the different combinations of the SCO config (AutoSelfCheckAllowed, SelfCheckoutByLogin and WebBasedSelfCheck) and confirm that this patch fixes the SCO print slip feature. Signed-off-by: Marcel de Rooy Signed-off-by: Fridolin Somers Signed-off-by: Kyle M Hall --- .../bootstrap/en/modules/sco/sco-main.tt | 2 +- opac/sco/printslip.pl | 43 ++++++++++++++----- 2 files changed, 34 insertions(+), 11 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt index 79ed8fa536..54fbe8c62b 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt @@ -521,7 +521,7 @@ var confirmStart = Date.now(); confirmModal("", _("Would you like to print a receipt?"), _("Print receipt and end session"), _("End session"), function(result) { if ( result && (Date.now() - confirmStart) < [% SelfCheckTimeout | html %] ) { - var win = window.open("/cgi-bin/koha/sco/printslip.pl?borrowernumber=[% borrowernumber | html %]&print=qslip"); + var win = window.open("/cgi-bin/koha/sco/printslip.pl?print=qslip"); location.href = '/cgi-bin/koha/sco/sco-main.pl?op=logout'; } else { location.href = '/cgi-bin/koha/sco/sco-main.pl?op=logout'; diff --git a/opac/sco/printslip.pl b/opac/sco/printslip.pl index a2564f1307..ae0f58314a 100755 --- a/opac/sco/printslip.pl +++ b/opac/sco/printslip.pl @@ -33,38 +33,61 @@ use C4::Auth qw( in_iprange get_session get_template_and_user ); use C4::Output qw( output_html_with_http_headers ); use C4::Members qw( IssueSlip ); + my $input = CGI->new; -unless ( in_iprange(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { - print $input->header(status => '403 Forbidden - functionality not available from your location'); +unless (C4::Context->preference('WebBasedSelfCheck')) { + # redirect to OPAC home if self-check is not enabled + print $input->redirect("/cgi-bin/koha/opac-main.pl"); exit; } -my $sessionID = $input->cookie("CGISESSID"); -my $session = get_session($sessionID); +unless ( in_iprange(C4::Context->preference('SelfCheckAllowByIPRanges')) ) { + # redirect to OPAC home if self-checkout not permitted from current IP + print $input->redirect("/cgi-bin/koha/opac-main.pl"); + exit; +} -my $print = $input->param('print'); -my $error = $input->param('error'); +if (C4::Context->preference('AutoSelfCheckAllowed')) +{ + my $AutoSelfCheckID = C4::Context->preference('AutoSelfCheckID'); + my $AutoSelfCheckPass = C4::Context->preference('AutoSelfCheckPass'); + $input->param(-name=>'userid',-values=>[$AutoSelfCheckID]); + $input->param(-name=>'password',-values=>[$AutoSelfCheckPass]); + $input->param(-name=>'koha_login_context',-values=>['sco']); +} +$input->param(-name=>'sco_user_login',-values=>[1]); # patrons still need to be able to print receipts my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => "sco/printslip.tt", + flagsrequired => { self_check => "self_checkout_module" }, query => $input, type => "opac", } ); -my $borrowernumber = $input->param('borrowernumber'); -my $branch=C4::Context->userenv->{'branch'}; +my $jwt = $input->cookie('JWT'); +my $patronid = $jwt ? Koha::Token->new->decode_jwt({ token => $jwt }) : undef; +my $patron = $patronid ? Koha::Patrons->find( { cardnumber => $patronid } ) : undef; + +unless ( $patron ) { + print $input->header(-type => 'text/plain', -status => '403 Forbidden'); + exit; +} + +my $print = $input->param('print'); +my $error = $input->param('error'); + my ($slip, $is_html); -if (my $letter = IssueSlip ($session->param('branch') || $branch, $borrowernumber, $print eq "qslip")) { +if (my $letter = IssueSlip ($patron->branchcode, $patron->borrowernumber, $print eq "qslip")) { $slip = $letter->{content}; $is_html = $letter->{is_html}; } $template->{VARS}->{slip} = $slip; $template->{VARS}->{plain} = !$is_html; -$template->{VARS}->{borrowernumber} = $borrowernumber; +$template->{VARS}->{borrowernumber} = $patron->borrowernumber; $template->{VARS}->{stylesheet} = C4::Context->preference("SlipCSS"); $template->{VARS}->{error} = $error; -- 2.39.5