From 73759312d2a58056e2cc4fd336a1204f3e661a02 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 24 Jun 2015 11:24:14 +0200 Subject: [PATCH] Bug 14449: Add authentication check on retrieving item info when receiving The script catalogue/getitem-ajax.pl is called by acqui/orderreceive.pl when item is receipt. There is not auth check done, this means anybody can retrieve item info. Test plan: With the acquisition => order_receive permission, try to receive an item. It should work. Signed-off-by: Chris Cormack Very easy to test. Signed-off-by: Kyle M Hall Signed-off-by: Tomas Cohen Arazi (cherry picked from commit ea263a2284f1b81da5718a0cfbc581909c86cf4a) Signed-off-by: Chris Cormack --- catalogue/getitem-ajax.pl | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/catalogue/getitem-ajax.pl b/catalogue/getitem-ajax.pl index d05a8220f0..fd69a74322 100755 --- a/catalogue/getitem-ajax.pl +++ b/catalogue/getitem-ajax.pl @@ -21,6 +21,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); use JSON; +use C4::Auth; use C4::Biblio; use C4::Branch; use C4::Items; @@ -28,6 +29,14 @@ use C4::Koha; use C4::Output; my $cgi = new CGI; + +my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { acquisition => 'order_receive' } ); +unless ($status eq "ok") { + print $cgi->header(-type => 'application/json', -status => '403 Forbidden'); + print to_json({ auth_status => $status }); + exit 0; +} + my $item = {}; my $itemnumber = $cgi->param('itemnumber'); -- 2.39.5