From 08871a324fa731ffdbbe87afde1ee145c604a22b Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@koha-community.org>
Date: Wed, 24 Jun 2015 11:03:22 +0200
Subject: [PATCH] Bug 14440: get_template_and_user can not have an empty
 template_name (quote*_ajax.pl)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This patch uses check_api_auth instead of get_template_and_user.

Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.

wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
---
 tools/quotes/quotes-upload_ajax.pl | 16 ++++++----------
 tools/quotes/quotes_ajax.pl        | 16 ++++++----------
 2 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/tools/quotes/quotes-upload_ajax.pl b/tools/quotes/quotes-upload_ajax.pl
index 93bbfbeb59..179c645c1a 100755
--- a/tools/quotes/quotes-upload_ajax.pl
+++ b/tools/quotes/quotes-upload_ajax.pl
@@ -32,16 +32,12 @@ use C4::Output;
 my $cgi = new CGI;
 my $dbh = C4::Context->dbh;
 
-my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
-    {
-        template_name   => "",
-        query           => $cgi,
-        type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { tools => 'edit_quotes' },
-        debug           => 1,
-    }
-);
+my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } );
+unless ($status eq "ok") {
+    print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
+    print to_json({ auth_status => $status });
+    exit 0;
+}
 
 my $success = 'true';
 
diff --git a/tools/quotes/quotes_ajax.pl b/tools/quotes/quotes_ajax.pl
index d08178f913..c4bbae31e2 100755
--- a/tools/quotes/quotes_ajax.pl
+++ b/tools/quotes/quotes_ajax.pl
@@ -31,16 +31,12 @@ my $cgi = CGI->new;
 my $dbh = C4::Context->dbh;
 my $sort_columns = ["id", "source", "text", "timestamp"];
 
-my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
-    {
-        template_name   => "",
-        query           => $cgi,
-        type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { tools => 'edit_quotes' },
-        debug           => 1,
-    }
-);
+my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } );
+unless ($status eq "ok") {
+    print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
+    print to_json({ auth_status => $status });
+    exit 0;
+}
 
 # NOTE: This is a collection of ajax functions for use with tools/quotes.pl
 
-- 
2.39.2