From dd8d7b1b6fdfb12c1277babd78bc93e01fe7566b Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 24 Jun 2015 11:03:22 +0200 Subject: [PATCH] Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl) MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch uses check_api_auth instead of get_template_and_user. Test plan: Confirm that you are still able to access to the quote editor with the edit_quotes permission. Confirm that you are not if you don't have the permission. wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl should return "403 : Forbidden." Signed-off-by: Indranil Das Gupta (L2C2 Technologies) Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi (cherry picked from commit 08871a324fa731ffdbbe87afde1ee145c604a22b) Signed-off-by: Chris Cormack --- tools/quotes/quotes-upload_ajax.pl | 16 ++++++---------- tools/quotes/quotes_ajax.pl | 16 ++++++---------- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/tools/quotes/quotes-upload_ajax.pl b/tools/quotes/quotes-upload_ajax.pl index 93bbfbeb59..179c645c1a 100755 --- a/tools/quotes/quotes-upload_ajax.pl +++ b/tools/quotes/quotes-upload_ajax.pl @@ -32,16 +32,12 @@ use C4::Output; my $cgi = new CGI; my $dbh = C4::Context->dbh; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( - { - template_name => "", - query => $cgi, - type => "intranet", - authnotrequired => 0, - flagsrequired => { tools => 'edit_quotes' }, - debug => 1, - } -); +my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } ); +unless ($status eq "ok") { + print $cgi->header(-type => 'application/json', -status => '403 Forbidden'); + print to_json({ auth_status => $status }); + exit 0; +} my $success = 'true'; diff --git a/tools/quotes/quotes_ajax.pl b/tools/quotes/quotes_ajax.pl index d08178f913..c4bbae31e2 100755 --- a/tools/quotes/quotes_ajax.pl +++ b/tools/quotes/quotes_ajax.pl @@ -31,16 +31,12 @@ my $cgi = CGI->new; my $dbh = C4::Context->dbh; my $sort_columns = ["id", "source", "text", "timestamp"]; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( - { - template_name => "", - query => $cgi, - type => "intranet", - authnotrequired => 0, - flagsrequired => { tools => 'edit_quotes' }, - debug => 1, - } -); +my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } ); +unless ($status eq "ok") { + print $cgi->header(-type => 'application/json', -status => '403 Forbidden'); + print to_json({ auth_status => $status }); + exit 0; +} # NOTE: This is a collection of ajax functions for use with tools/quotes.pl -- 2.39.5