From 9a76781f9ef0ba997fdaf79d78648a6c41827f03 Mon Sep 17 00:00:00 2001 From: Mark Tompsett Date: Tue, 30 Jan 2018 22:35:39 +0000 Subject: [PATCH] Bug 20083: (follow-up) use same logic in opac-showmarc It was correctly pointed out that opac-showmarc would leak the same way as catalogue/showmarc.pl, and so this patch moves the authentication step up to the top where it should be so as to prevent inappropriate data leaks. TEST PLAN --------- 1) Set your OpacPublic system preference to Disabled 2) Open your OPAC and login 3) Find a biblio with items 4) Go to the opac details, particularly MARC view. 5) Copy the "view plain" shortcut link. 6) log out. 7) Paste the link into the address bar. -- the information will leak! 8) apply the patch 9) restart_all 10) Refresh the OPAC link -- log in screen will appear. 11) run koha qa test tools Signed-off-by: Marcel de Rooy Signed-off-by: Jonathan Druart --- opac/opac-showmarc.pl | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/opac/opac-showmarc.pl b/opac/opac-showmarc.pl index d9f93e6bb4..232eac50a8 100755 --- a/opac/opac-showmarc.pl +++ b/opac/opac-showmarc.pl @@ -34,6 +34,13 @@ use C4::Templates; use Koha::RecordProcessor; my $input = new CGI; +my ( $template, $loggedinuser, $cookie ) = get_template_and_user({ + template_name => "opac-showmarc.tt", + query => $input, + type => "opac", + authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ), + debug => 1, +}); my $biblionumber = $input->param('id'); $biblionumber = int($biblionumber); my $importid= $input->param('importid'); @@ -71,13 +78,6 @@ if ($view eq 'card' || $view eq 'html') { output_html_with_http_headers $input, undef, Encode::encode_utf8(C4::XSLT::engine->transform($xml, $xsl)); } else { #view eq marc - my ( $template, $loggedinuser, $cookie ) = get_template_and_user({ - template_name => "opac-showmarc.tt", - query => $input, - type => "opac", - authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ), - debug => 1, - }); $template->param( MARC_FORMATTED => $record->as_formatted ); output_html_with_http_headers $input, $cookie, $template->output; } -- 2.39.5