From b849a0ab4e3b24be86acf03278b95777a0b1f025 Mon Sep 17 00:00:00 2001 From: Petro Vashchuk Date: Tue, 10 Aug 2021 18:08:53 +0300 Subject: [PATCH] Bug 28759: limit accessibility for "Manage API keys" This patch limits the accessibility for "Manage API keys" section only to superlibrarians and the owner of that said API key account. The way it does it is by checking if user is superlibrarian or if logged-in user is the same as a patron id/borrower number is the same as logged-in user number both in template and apikeys.pl and making sure the link is inaccessible or redirects to the 403 page if user tries to go there directly. To reproduce: 1) create/pick existing patron, set Staff access, allows viewing of catalogue in staff interface (catalogue)" and "Add, modify and iew patron information (borrowers)" permissions on; 2) enable "RESTOAuth2ClientCredentials" in sysprefs; 3) login with that user into staff interface; 4) check any other patron, go to the "More"->"Manage API keys" and check that you can see, add delete their API keys; 5) apply patch; 6) with that same user try to access "Manage API keys" page again. Ensure that you can't access that page of other patrons but can access your own page and manage your own API keys. 7) log in with superlibrarian now and ensure that you can access every "Manage API keys" page of every patron and apply changes there. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Wainui Witika-Park --- .../intranet-tmpl/prog/en/includes/members-toolbar.inc | 2 +- members/apikeys.pl | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc index f343eaf107..750a4e568a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/members-toolbar.inc @@ -57,7 +57,7 @@ [% END %] [% IF Koha.Preference('RESTOAuth2ClientCredentials') %] - [% IF CAN_user_borrowers_edit_borrowers %] + [% IF CAN_user_superlibrarian OR loggedinusernumber == patron.borrowernumber %]
  • Manage API keys
    • [% ELSE %]
  • Manage API keys
    • diff --git a/members/apikeys.pl b/members/apikeys.pl index 619fc30b8a..54addd37e1 100755 --- a/members/apikeys.pl +++ b/members/apikeys.pl @@ -52,6 +52,12 @@ if ( not defined $patron or exit; } +if( $patron_id != $loggedinuser && !C4::Context->IsSuperLibrarian() ) { + # not the owner of the account viewing/editing own API keys, nor superlibrarian -> exit + print $cgi->redirect("/cgi-bin/koha/errors/403.pl"); # escape early + exit; +} + my $op = $cgi->param('op') // ''; if ( $op eq 'generate' or -- 2.39.5