Bug 25898: Prohibit indirect object notation
[koha.git] / opac / opac-illrequests.pl
1 #!/usr/bin/perl
2
3 # Copyright 2017 PTFS-Europe Ltd
4 #
5 # This file is part of Koha.
6 #
7 # Koha is free software; you can redistribute it and/or modify it
8 # under the terms of the GNU General Public License as published by
9 # the Free Software Foundation; either version 3 of the License, or
10 # (at your option) any later version.
11 #
12 # Koha is distributed in the hope that it will be useful, but
13 # WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
16 #
17 # You should have received a copy of the GNU General Public License
18 # along with Koha; if not, see <http://www.gnu.org/licenses>.
19
20 use Modern::Perl;
21
22 use JSON qw( encode_json );
23
24 use CGI qw ( -utf8 );
25 use C4::Auth;
26 use C4::Koha;
27 use C4::Output;
28
29 use Koha::Illrequest::Config;
30 use Koha::Illrequests;
31 use Koha::Libraries;
32 use Koha::Patrons;
33 use Koha::Illrequest::Availability;
34
35 my $query = CGI->new;
36
37 # Grab all passed data
38 # 'our' since Plack changes the scoping
39 # of 'my'
40 our $params = $query->Vars();
41
42 # if illrequests is disabled, leave immediately
43 if ( ! C4::Context->preference('ILLModule') ) {
44     print $query->redirect("/cgi-bin/koha/errors/404.pl");
45     exit;
46 }
47
48 my ( $template, $loggedinuser, $cookie ) = get_template_and_user({
49     template_name   => "opac-illrequests.tt",
50     query           => $query,
51     type            => "opac",
52 });
53
54 # Are we able to actually work?
55 my $reduced  = C4::Context->preference('ILLOpacbackends');
56 my $backends = Koha::Illrequest::Config->new->available_backends($reduced);
57 my $backends_available = ( scalar @{$backends} > 0 );
58 $template->param( backends_available => $backends_available );
59
60 my $op = $params->{'method'} || 'list';
61
62 if ( $op eq 'list' ) {
63
64     my $requests = Koha::Illrequests->search(
65         { borrowernumber => $loggedinuser }
66     );
67     my $req = Koha::Illrequest->new;
68     $template->param(
69         requests => $requests,
70         backends    => $backends
71     );
72
73 } elsif ( $op eq 'view') {
74     my $request = Koha::Illrequests->find({
75         borrowernumber => $loggedinuser,
76         illrequest_id  => $params->{illrequest_id}
77     });
78     $template->param(
79         request => $request
80     );
81
82 } elsif ( $op eq 'update') {
83     my $request = Koha::Illrequests->find({
84         borrowernumber => $loggedinuser,
85         illrequest_id  => $params->{illrequest_id}
86     });
87     $request->notesopac($params->{notesopac})->store;
88     print $query->redirect(
89         '/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id=' .
90         $params->{illrequest_id} .
91         '&message=1'
92     );
93     exit;
94 } elsif ( $op eq 'cancreq') {
95     my $request = Koha::Illrequests->find({
96         borrowernumber => $loggedinuser,
97         illrequest_id  => $params->{illrequest_id}
98     });
99     $request->status('CANCREQ')->store;
100     print $query->redirect(
101         '/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id=' .
102         $params->{illrequest_id} .
103         '&message=1'
104     );
105     exit;
106 } elsif ( $op eq 'create' ) {
107     if (!$params->{backend}) {
108         my $req = Koha::Illrequest->new;
109         $template->param(
110             backends    => $req->available_backends
111         );
112     } else {
113         my $request = Koha::Illrequest->new
114             ->load_backend($params->{backend});
115
116         # Does this backend enable us to insert an availability stage and should
117         # we? If not, proceed as normal.
118         if (
119             C4::Context->preference("ILLCheckAvailability") &&
120             $request->_backend_capability(
121                 'should_display_availability',
122                 $params
123             ) &&
124             # If the user has elected to continue with the request despite
125             # having viewed availability info, this flag will be set
126             !$params->{checked_availability}
127         ) {
128             # Establish which of the installed availability providers
129             # can service our metadata, if so, jump in
130             my $availability = Koha::Illrequest::Availability->new($params);
131             my $services = $availability->get_services({
132                 ui_context => 'opac'
133             });
134             if (scalar @{$services} > 0) {
135                 # Modify our method so we use the correct part of the
136                 # template
137                 $op = 'availability';
138                 # Prepare the metadata we're sending them
139                 my $metadata = $availability->prep_metadata($params);
140                 $template->param(
141                     metadata        => $metadata,
142                     services_json   => encode_json($services),
143                     services        => $services,
144                     illrequestsview => 1,
145                     message         => $params->{message},
146                     method          => $op,
147                     whole           => $params
148                 );
149                 output_html_with_http_headers $query, $cookie,
150                     $template->output, undef, { force_no_caching => 1 };
151                 exit;
152             }
153         }
154
155         $params->{cardnumber} = Koha::Patrons->find({
156             borrowernumber => $loggedinuser
157         })->cardnumber;
158         $params->{opac} = 1;
159         my $backend_result = $request->backend_create($params);
160         if ($backend_result->{stage} eq 'copyrightclearance') {
161             $template->param(
162                 stage       => $backend_result->{stage},
163                 whole       => $backend_result
164             );
165         } else {
166             $template->param(
167                 types       => [ "Book", "Article", "Journal" ],
168                 branches    => Koha::Libraries->search->unblessed,
169                 whole       => $backend_result,
170                 request     => $request
171             );
172             if ($backend_result->{stage} eq 'commit') {
173                 print $query->redirect('/cgi-bin/koha/opac-illrequests.pl?message=2');
174                 exit;
175             }
176         }
177
178     }
179 }
180
181 $template->param(
182     message         => $params->{message},
183     illrequestsview => 1,
184     method          => $op
185 );
186
187 output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 };