From 3656d00eaf8d12cb3570c5bd92fe31d717c68a83 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Tue, 25 May 2010 23:27:20 -0400 Subject: [PATCH] bug 4816: require authentication for placerequest.pl Otherwise, it was possible to construct a URL to place hold requests without authorization. Signed-off-by: Galen Charlton --- reserve/placerequest.pl | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/reserve/placerequest.pl b/reserve/placerequest.pl index 36f8ecd1f0..bc3fc74cb0 100755 --- a/reserve/placerequest.pl +++ b/reserve/placerequest.pl @@ -23,17 +23,19 @@ use strict; use warnings; + +use CGI; use C4::Biblio; use C4::Items; -use CGI; use C4::Output; use C4::Reserves; use C4::Circulation; use C4::Members; +use C4::Auth qw/checkauth/; -my $input = new CGI; -#print $input->header; +my $input = CGI->new(); +my ($user, $cookie, $sesion_id, $flags) = checkauth($input, 0, { reserveforothers => 'place_holds' }, 'intranet'); my @bibitems=$input->param('biblioitem'); # FIXME I think reqbib does not exist anymore, it's used in line 82, to AddReserve of contraint type 'o' -- 2.39.5