From cee2cf9ff927504f9c24f6519462a7d702c5c27d Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 4 Apr 2017 18:48:45 -0300 Subject: [PATCH] Bug 18403: Add sub output_and_exit_if_error - unknown_patron & cannot_see_patron_infos Test plan: Login with a patron that is not allowed to see patron's information for patrons outside of his group. Try to access patron's information from scripts of the patron module (members/*) and circ/circulation.pl. You should be able to access patron's information of patrons outside of your group and get "You are not allowed to see the information of this patron." If you try and access a patron page with a borrowernumber that does not exist, you should get "This patron does not exist" Technical note: A new C4::Output subroutine is created in this patch: "output_and_exit_if_error" Executed at the beginning of the script it will permit not to copy/paste all the different checks to know if the logged in user is authorised to see patron's information. The design here can be discussed, but I did not find an alternative with as less changes. On the way I refactor what we did with 'unknowuser' previously: it will now work with all patron pages, not only the few that used it. Note that the 'or die "Not logged in";' part should not be needed, but... who trusts C4::Auth? I think it could be used as a safeguard later. I am willing to sed and remove them if required. Changes in discharge.pl are mainly indentation changes. With this patch we should now have a $patron variable that refer to the patron we want to access. That will be very useful to remove plenty of code in members/* and only pass this variable to the template (instead of 1 variable per patron's attribute). Signed-off-by: Signed-off-by: Jon McGowan Signed-off-by: Jonathan Druart --- C4/Output.pm | 25 ++++++++++++++++++ .../prog/en/includes/acquisitions-toolbar.inc | 1 + .../prog/en/includes/authorities-toolbar.inc | 1 + .../prog/en/includes/blocking_errors.inc | 10 +++++++ .../en/includes/budgets-admin-toolbar.inc | 1 + .../prog/en/includes/cat-toolbar.inc | 1 + .../prog/en/includes/labels-toolbar.inc | 1 + .../prog/en/includes/members-toolbar.inc | 1 + .../prog/en/includes/patron-toolbar.inc | 1 + .../prog/en/includes/patroncards-toolbar.inc | 1 + .../prog/en/includes/reports-toolbar.inc | 1 + .../includes/rotating-collections-toolbar.inc | 1 + .../prog/en/includes/serials-toolbar.inc | 1 + .../en/includes/virtualshelves-toolbar.inc | 2 ++ .../prog/en/modules/members/discharge.tt | 4 +-- .../prog/en/modules/members/housebound.tt | 4 --- .../prog/en/modules/members/moremember.tt | 13 ++-------- .../prog/en/modules/members/statistics.tt | 6 +++-- members/boraccount.pl | 4 ++- members/deletemem.pl | 13 +++++----- members/discharge.pl | 8 ++---- members/discharges.pl | 3 +++ members/files.pl | 12 ++++----- members/housebound.pl | 10 +++---- members/mancredit.pl | 5 +++- members/maninvoice.pl | 9 +++++-- members/member-flags.pl | 4 ++- members/member-password.pl | 6 ++--- members/memberentry.pl | 13 ++++------ members/members-update-do.pl | 6 +++++ members/mod_debarment.pl | 8 ++++++ members/moremember.pl | 9 +++---- members/notices.pl | 3 +++ members/pay.pl | 9 +++---- members/paycollect.pl | 7 +++-- members/print_overdues.pl | 6 +++++ members/printfeercpt.pl | 9 +++---- members/printinvoice.pl | 9 +++---- members/printslip.pl | 5 ++++ members/purchase-suggestions.pl | 9 +++---- members/readingrec.pl | 8 +++--- members/routing-lists.pl | 9 +++---- members/setstatus.pl | 26 ++++++++++++------- members/statistics.pl | 9 +++---- members/summary-print.pl | 9 +++---- members/update-child.pl | 10 +++---- 46 files changed, 187 insertions(+), 126 deletions(-) create mode 100644 koha-tmpl/intranet-tmpl/prog/en/includes/blocking_errors.inc diff --git a/C4/Output.pm b/C4/Output.pm index af7dd5a22b..58bd75a690 100644 --- a/C4/Output.pm +++ b/C4/Output.pm @@ -50,6 +50,7 @@ BEGIN { ); push @EXPORT, qw( &output_html_with_http_headers &output_ajax_with_http_headers &output_with_http_headers + &output_and_exit_if_error ); } @@ -306,6 +307,30 @@ sub is_ajax { return ( $x_req and $x_req =~ /XMLHttpRequest/i ) ? 1 : 0; } +sub output_and_exit_if_error { + my ( $query, $cookie, $template, $params ) = @_; + my $error; + if ( $params and exists $params->{module} ) { + if ( $params->{module} eq 'members' ) { + my $logged_in_user = $params->{logged_in_user}; + my $current_patron = $params->{current_patron}; + if ( not $current_patron ) { + $error = 'unknown_patron'; + } + elsif( not $logged_in_user->can_see_patron_infos( $current_patron ) ) { + $error = 'cannot_see_patron_infos'; + } + } + } + + if ( $error ) { + $template->param( blocking_error => $error ); + output_html_with_http_headers ( $query, $cookie, $template->output ); + exit; + } + return; +} + sub parametrized_url { my $url = shift || ''; # ie page.pl?ln={LANG} my $vars = shift || {}; # ie { LANG => en } diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-toolbar.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-toolbar.inc index a82ab411a6..198c6cbbe3 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-toolbar.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-toolbar.inc @@ -1,3 +1,4 @@ +[% INCLUDE 'blocking_errors.inc' %]