From c757c2c9c1fe38c8e72f9fdb4f0104c2856f9fde Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Tue, 4 Feb 2014 15:54:33 +0000 Subject: [PATCH] Bug 11666: add permission check for MARC framework import/export This patch makes the MARC framework import/export script require that the staff user be logged in with appropriate permissions for managing the MARC frameworks. Signed-off-by: Galen Charlton Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer I can confirm the bug and the solution. After applying the patch downloading the file without logging in first is no longer possible. Also passes tests and QA script. Signed-off-by: Galen Charlton --- admin/import_export_framework.pl | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/admin/import_export_framework.pl b/admin/import_export_framework.pl index 8674ebf619..555eec5e01 100755 --- a/admin/import_export_framework.pl +++ b/admin/import_export_framework.pl @@ -21,11 +21,31 @@ use strict; use warnings; use CGI; +use CGI::Cookie; use C4::Context; +use C4::Auth qw/check_cookie_auth/; use C4::ImportExportFramework; +my %cookies = CGI::Cookie->fetch(); +my $authenticated = 0; +my ($auth_status, $sessionID); +if (exists $cookies{'CGISESSID'}) { + ($auth_status, $sessionID) = check_cookie_auth( + $cookies{'CGISESSID'}->value, + { parameters => 'parameters_remaining_permissions' }, + ); +} +if ($auth_status eq 'ok') { + $authenticated = 1; +} + my $input = new CGI; +unless ($authenticated) { + print $input->header(-type => 'text/plain', -status => '403 Forbidden'); + exit 0; +} + my $frameworkcode = $input->param('frameworkcode') || ''; my $action = $input->param('action') || 'export'; -- 2.39.5