From a10773dc7775e33a10a31f1b4d1cd9ee0696c73d Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Mon, 14 Oct 2013 22:31:37 +0000 Subject: [PATCH] Bug 10565: (follow-up) add new user permission for patron list management This patch adds a new user permission for patron list management, tools => manage_patron_lists. This closes a security issue with the original patch series where patron lists and their contents could be retrieved and modified without requiring authentication of any sort. Signed-off-by: Galen Charlton --- .../data/mysql/de-DE/mandatory/userpermissions.sql | 1 + installer/data/mysql/en/mandatory/userpermissions.sql | 1 + .../data/mysql/es-ES/mandatory/userpermissions.sql | 1 + .../data/mysql/fr-FR/1-Obligatoire/userpermissions.sql | 1 + .../data/mysql/it-IT/necessari/userpermissions.sql | 1 + .../mysql/nb-NO/1-Obligatorisk/userpermissions.sql | 1 + .../data/mysql/pl-PL/mandatory/userpermissions.sql | 1 + .../ru-RU/mandatory/permissions_and_user_flags.sql | 1 + .../uk-UA/mandatory/permissions_and_user_flags.sql | 1 + installer/data/mysql/updatedatabase.pl | 5 +++++ .../intranet-tmpl/prog/en/modules/members/member.tt | 10 ++++++++++ .../intranet-tmpl/prog/en/modules/tools/tools-home.tt | 2 ++ patron_lists/add-modify.pl | 3 ++- patron_lists/delete.pl | 3 ++- patron_lists/list.pl | 3 ++- patron_lists/lists.pl | 3 ++- patron_lists/patrons.pl | 3 ++- 17 files changed, 36 insertions(+), 5 deletions(-) diff --git a/installer/data/mysql/de-DE/mandatory/userpermissions.sql b/installer/data/mysql/de-DE/mandatory/userpermissions.sql index eb2d48a401..2824c04d58 100644 --- a/installer/data/mysql/de-DE/mandatory/userpermissions.sql +++ b/installer/data/mysql/de-DE/mandatory/userpermissions.sql @@ -43,6 +43,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Von Benutzern vergebene Tags moderieren'), (13, 'rotating_collections', 'Wandernde Sammlungen verwalten'), (13, 'upload_local_cover_images', 'Eigene Coverbilder hochladen'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Ablauf eines Abonnements prüfen'), (15, 'claim_serials', 'Fehlende Hefte reklamieren'), (15, 'create_subscription', 'Neues Abonnement anlegen'), diff --git a/installer/data/mysql/en/mandatory/userpermissions.sql b/installer/data/mysql/en/mandatory/userpermissions.sql index 4fa2a7ab59..d2593f5dc6 100644 --- a/installer/data/mysql/en/mandatory/userpermissions.sql +++ b/installer/data/mysql/en/mandatory/userpermissions.sql @@ -43,6 +43,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Moderate patron tags'), (13, 'rotating_collections', 'Manage rotating collections'), (13, 'upload_local_cover_images', 'Upload local cover images'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Check the expiration of a serial'), (15, 'claim_serials', 'Claim missing serials'), (15, 'create_subscription', 'Create a new subscription'), diff --git a/installer/data/mysql/es-ES/mandatory/userpermissions.sql b/installer/data/mysql/es-ES/mandatory/userpermissions.sql index 4fa2a7ab59..d2593f5dc6 100644 --- a/installer/data/mysql/es-ES/mandatory/userpermissions.sql +++ b/installer/data/mysql/es-ES/mandatory/userpermissions.sql @@ -43,6 +43,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Moderate patron tags'), (13, 'rotating_collections', 'Manage rotating collections'), (13, 'upload_local_cover_images', 'Upload local cover images'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Check the expiration of a serial'), (15, 'claim_serials', 'Claim missing serials'), (15, 'create_subscription', 'Create a new subscription'), diff --git a/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql index 355ee271e5..ca75ee2e66 100644 --- a/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql +++ b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql @@ -43,6 +43,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'items_batchmod', 'Modifier les exemplaires par lot'), (13, 'items_batchdel', 'Supprimer les exemplaires par lot'), (13, 'upload_local_cover_images', 'Téléchargement des images de couverture'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Contrôler l''expiration d''un périodique'), (15, 'claim_serials', 'Réclamer les périodiques manquants'), (15, 'create_subscription', 'Créer de nouveaux abonnements'), diff --git a/installer/data/mysql/it-IT/necessari/userpermissions.sql b/installer/data/mysql/it-IT/necessari/userpermissions.sql index 35f542250e..8016fb61a6 100644 --- a/installer/data/mysql/it-IT/necessari/userpermissions.sql +++ b/installer/data/mysql/it-IT/necessari/userpermissions.sql @@ -45,6 +45,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Modera i tag inseriti dagli utenti'), (13, 'rotating_collections', 'Gestisci le collezioni circolanti (rotating collections)'), (13, 'upload_local_cover_images', 'Carica copertine in locale'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Controlla la scadenza di una risora in continuazione'), (15, 'claim_serials', 'Richiedi i fascicoli non arrivati'), (15, 'create_subscription', 'Crea un nuovo abbonamento'), diff --git a/installer/data/mysql/nb-NO/1-Obligatorisk/userpermissions.sql b/installer/data/mysql/nb-NO/1-Obligatorisk/userpermissions.sql index 5909490181..85214627ff 100644 --- a/installer/data/mysql/nb-NO/1-Obligatorisk/userpermissions.sql +++ b/installer/data/mysql/nb-NO/1-Obligatorisk/userpermissions.sql @@ -63,6 +63,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Behandle tagger fra lånere'), (13, 'rotating_collections', 'Administrere roterende samlinger'), (13, 'upload_local_cover_images', 'Laste opp lokale omslagsbilder'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Sjekke utløpsdato for et periodikum'), (15, 'claim_serials', 'Purre manglende tidsskrifthefter'), (15, 'create_subscription', 'Opprette abonnementer'), diff --git a/installer/data/mysql/pl-PL/mandatory/userpermissions.sql b/installer/data/mysql/pl-PL/mandatory/userpermissions.sql index 8428910aa7..4fd2adffcc 100644 --- a/installer/data/mysql/pl-PL/mandatory/userpermissions.sql +++ b/installer/data/mysql/pl-PL/mandatory/userpermissions.sql @@ -44,6 +44,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (16, 'execute_reports', 'Execute SQL reports'), (13, 'rotating_collections', 'Manage rotating collections'), (13, 'upload_local_cover_images', 'Upload local cover images'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Check the expiration of a serial'), (15, 'claim_serials', 'Claim missing serials'), (15, 'create_subscription', 'Create a new subscription'), diff --git a/installer/data/mysql/ru-RU/mandatory/permissions_and_user_flags.sql b/installer/data/mysql/ru-RU/mandatory/permissions_and_user_flags.sql index 046e87bc89..fea6538850 100644 --- a/installer/data/mysql/ru-RU/mandatory/permissions_and_user_flags.sql +++ b/installer/data/mysql/ru-RU/mandatory/permissions_and_user_flags.sql @@ -69,6 +69,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Moderate patron tags'), (13, 'rotating_collections', 'Manage rotating collections'), (13, 'upload_local_cover_images', 'Upload local cover images'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Check the expiration of a serial'), (15, 'claim_serials', 'Claim missing serials'), (15, 'create_subscription', 'Create a new subscription'), diff --git a/installer/data/mysql/uk-UA/mandatory/permissions_and_user_flags.sql b/installer/data/mysql/uk-UA/mandatory/permissions_and_user_flags.sql index 92e9338baf..b8e809810c 100644 --- a/installer/data/mysql/uk-UA/mandatory/permissions_and_user_flags.sql +++ b/installer/data/mysql/uk-UA/mandatory/permissions_and_user_flags.sql @@ -69,6 +69,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (13, 'moderate_tags', 'Moderate patron tags'), (13, 'rotating_collections', 'Manage rotating collections'), (13, 'upload_local_cover_images', 'Upload local cover images'), + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents'), (15, 'check_expiration', 'Check the expiration of a serial'), (15, 'claim_serials', 'Claim missing serials'), (15, 'create_subscription', 'Create a new subscription'), diff --git a/installer/data/mysql/updatedatabase.pl b/installer/data/mysql/updatedatabase.pl index 128dde6e43..9f57eff0bc 100755 --- a/installer/data/mysql/updatedatabase.pl +++ b/installer/data/mysql/updatedatabase.pl @@ -7297,6 +7297,11 @@ if ( CheckVersion($DBversion) ) { ADD CONSTRAINT patron_list_patrons_ibfk_2 FOREIGN KEY (borrowernumber) REFERENCES borrowers (borrowernumber) ON DELETE CASCADE ON UPDATE CASCADE; }); + $dbh->do(q{ + INSERT INTO permissions (module_bit, code, description) VALUES + (13, 'manage_patron_lists', 'Add, edit and delete patron lists and their contents') + }); + print "Upgrade to $DBversion done (Bug 10565 - Add a 'Patron List' feature for storing and manipulating collections of patrons)\n"; SetVersion($DBversion); } diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt index cefbfd521d..7f64554c02 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member.tt @@ -110,10 +110,13 @@ function CheckForm() { [% END %] [% IF ( resultsloop ) %] + [% IF (CAN_user_tools_manage_patron_lists) %]
+ [% END %]

Results [% from %] to [% to %] of [% numresults %] found for [% IF ( member ) %]'[% member %]'[% END %][% IF ( surname ) %]'[% surname %]'[% END %]

+ [% IF (CAN_user_tools_manage_patron_lists) %]
Select all | @@ -149,13 +152,16 @@ function CheckForm() {
+ [% END %]
+ [% IF (CAN_user_tools_manage_patron_lists) %] + [% END %] @@ -178,7 +184,9 @@ function CheckForm() { [% END %] [% END %] + [% IF (CAN_user_tools_manage_patron_lists) %] + [% END %]
 Card Name Cat
[% resultsloo.cardnumber %] @@ -206,7 +214,9 @@ function CheckForm() {
[% IF ( multipage ) %][% paginationbar %][% END %]
+ [% IF (CAN_user_tools_manage_patron_lists) %]
+ [% END %] [% ELSE %] [% IF ( searching ) %]
No results found
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/tools-home.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/tools-home.tt index b72be1e53c..7df30ec895 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/tools/tools-home.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/tools/tools-home.tt @@ -15,8 +15,10 @@

Patrons and circulation

+ [% IF (CAN_user_tools_manage_patron_lists) %]
Patron lists
Manage lists of patrons.
+ [% END %] [% IF ( CAN_user_tools_moderate_comments ) %]
Comments [% IF ( pendingcomments ) %][% pendingcomments %][% END %]
diff --git a/patron_lists/add-modify.pl b/patron_lists/add-modify.pl index 5eb2281cc4..b5cafb2ea0 100755 --- a/patron_lists/add-modify.pl +++ b/patron_lists/add-modify.pl @@ -32,7 +32,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( template_name => "patron_lists/add-modify.tt", query => $cgi, type => "intranet", - authnotrequired => 1, + authnotrequired => 0, + flagsrequired => { tools => 'manage_patron_lists' }, } ); diff --git a/patron_lists/delete.pl b/patron_lists/delete.pl index 3c3d9b988c..aa515c28d5 100755 --- a/patron_lists/delete.pl +++ b/patron_lists/delete.pl @@ -32,7 +32,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( template_name => "patron_lists/lists.tt", query => $cgi, type => "intranet", - authnotrequired => 1, + authnotrequired => 0, + flagsrequired => { tools => 'manage_patron_lists' }, } ); diff --git a/patron_lists/list.pl b/patron_lists/list.pl index 217c78c720..a1dee24a2f 100755 --- a/patron_lists/list.pl +++ b/patron_lists/list.pl @@ -32,7 +32,8 @@ my ( $template, $logged_in_user, $cookie ) = get_template_and_user( template_name => "patron_lists/list.tt", query => $cgi, type => "intranet", - authnotrequired => 1, + authnotrequired => 0, + flagsrequired => { tools => 'manage_patron_lists' }, } ); diff --git a/patron_lists/lists.pl b/patron_lists/lists.pl index 488ff98112..457520fbde 100755 --- a/patron_lists/lists.pl +++ b/patron_lists/lists.pl @@ -32,7 +32,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( template_name => "patron_lists/lists.tt", query => $cgi, type => "intranet", - authnotrequired => 1, + authnotrequired => 0, + flagsrequired => { tools => 'manage_patron_lists' }, } ); diff --git a/patron_lists/patrons.pl b/patron_lists/patrons.pl index 37a5922153..6e38ca1dcb 100755 --- a/patron_lists/patrons.pl +++ b/patron_lists/patrons.pl @@ -32,7 +32,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( template_name => "patron_lists/add-modify.tt", query => $cgi, type => "intranet", - authnotrequired => 1, + authnotrequired => 0, + flagsrequired => { tools => 'manage_patron_lists' }, } ); -- 2.20.1