From 57f28f9ee44a6c8f19dc1411971a7ca397557acd Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 19 Apr 2017 14:09:12 -0300 Subject: [PATCH] Bug 7550: SCO - Restrict access of patron's image MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit With this patch if SelfCheckoutByLogin is set to 'username and password', only the logged in user will be able to see the image linked to his/her logged in account. If set to "barcode" we generate a token but it can be easily generated. You should add a warning in the about page if SelfCheckoutByLogin="barcode" and ShowPatronImageInWebBasedSelfCheck="Show". How I tested: - Go to SCO - Log - Enable self checkout, go to [Your Server]//cgi-bin/koha/sco/sco-main.pl - Log in with a user 'A' who has a patron image - Copy the address of the patron image into an other browser window - Change the borrowernumber to on of an other user 'B' having a patron image - Verify that the patron image is NOT displayed Signed-off-by: Marc Véron Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- .../bootstrap/en/modules/sco/sco-main.tt | 2 +- opac/sco/sco-main.pl | 3 ++- opac/sco/sco-patron-image.pl | 22 ++++++++++++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt index a2ed9c4d43..f7fae7bb54 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt @@ -204,7 +204,7 @@ [% IF ( display_patron_image ) %]
- +
[% END %] diff --git a/opac/sco/sco-main.pl b/opac/sco/sco-main.pl index 6518c31eaf..4153277fdb 100755 --- a/opac/sco/sco-main.pl +++ b/opac/sco/sco-main.pl @@ -34,7 +34,6 @@ use Modern::Perl; use CGI qw ( -utf8 ); -use Digest::MD5 qw(md5_base64); use C4::Auth qw(get_template_and_user checkpw); use C4::Koha; @@ -48,6 +47,7 @@ use Koha::DateUtils qw( dt_from_string ); use Koha::Acquisition::Currencies; use Koha::Patron::Images; use Koha::Patron::Messages; +use Koha::Token; my $query = new CGI; @@ -302,6 +302,7 @@ if ($borrower->{cardnumber}) { $template->param( display_patron_image => 1, cardnumber => $borrower->{cardnumber}, + csrf_token => Koha::Token->new->generate_csrf( { session_id => scalar $query->cookie('CGISESSID') . $borrower->{cardnumber}, id => $borrower->{userid}} ), ) if $patron_image; } } else { diff --git a/opac/sco/sco-patron-image.pl b/opac/sco/sco-patron-image.pl index e76620be7d..dc6fbc871a 100755 --- a/opac/sco/sco-patron-image.pl +++ b/opac/sco/sco-patron-image.pl @@ -22,6 +22,8 @@ use warnings; use C4::Service; use C4::Members; use Koha::Patron::Images; +use Koha::Patrons; +use Koha::Token; my ($query, $response) = C4::Service->init(circulate => 'self_checkout'); @@ -35,10 +37,28 @@ unless (C4::Context->preference('ShowPatronImageInWebBasedSelfCheck')) { } my ($borrowernumber) = C4::Service->require_params('borrowernumber'); +my ($csrf_token) = C4::Service->require_params('csrf_token'); -my $patron_image = Koha::Patron::Images->find($borrowernumber); +my $patron = Koha::Patrons->find( $borrowernumber ); +my $patron_image = $patron->image; if ($patron_image) { + + unless ( + Koha::Token->new->check_csrf( + { + session_id => scalar $query->cookie('CGISESSID') + . $patron->cardnumber, + id => $patron->userid, + token => $csrf_token, + } + ) + ) + { + + print $query->header(-type => 'text/plain', -status => '403 Forbidden'); + exit; + } print $query->header( -type => $patron_image->mimetype, -Content_Length => length( $patron_image->imagefile ) -- 2.39.5