From 4b8a5bde3355abb3355085ea16c64f4ab2982731 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 2 Sep 2021 11:51:48 +0200
Subject: [PATCH] Bug 28941: Filter suggestion inputs at the OPAC

The following sequence is bad:
46 my $suggestion      = $input->Vars;

181         &NewSuggestion($suggestion);

All columns can be set when we insert the suggestion into the DB
We definitely want to avoid the following fields to be set by the final
user: acceptedby, accepteddate, STATUS, etc...

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 opac/opac-suggestions.pl | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/opac/opac-suggestions.pl b/opac/opac-suggestions.pl
index 351c40ed82..e63b6a4f79 100755
--- a/opac/opac-suggestions.pl
+++ b/opac/opac-suggestions.pl
@@ -34,12 +34,27 @@ use Koha::Patrons;
 
 use Koha::DateUtils qw( dt_from_string );
 
-my $input           = new CGI;
-my $op              = $input->param('op');
-my $suggestion      = $input->Vars;
+my $input           = CGI->new;
+my $op              = $input->param('op') || 'else';
+my $biblionumber    = $input->param('biblionumber');
 my $negcaptcha      = $input->param('negcap');
 my $suggested_by_anyone = $input->param('suggested_by_anyone') || 0;
 
+my $suggestion = {
+    title           => scalar $input->param('title'),
+    author          => scalar $input->param('author'),
+    copyrightdate   => scalar $input->param('copyrightdate'),
+    isbn            => scalar $input->param('isbn'),
+    publishercode   => scalar $input->param('publishercode'),
+    collectiontitle => scalar $input->param('collectiontitle'),
+    place           => scalar $input->param('place'),
+    quantity        => scalar $input->param('quantity'),
+    itemtype        => scalar $input->param('itemtype'),
+    branchcode      => scalar $input->param('branchcode'),
+    patronreason    => scalar $input->param('patronreason'),
+    note            => scalar $input->param('note'),
+};
+
 # If a spambot accidentally populates the 'negcap' field in the sugesstions form, then silently skip and return.
 if ($negcaptcha ) {
     print $input->redirect("/cgi-bin/koha/opac-suggestions.pl");
@@ -127,12 +142,12 @@ if ( $op eq "add_confirm" ) {
     elsif ( @$suggestions_loop >= 1 ) {
 
         #some suggestion are answering the request Donot Add
-        for my $suggestion (@$suggestions_loop) {
+        for my $s (@$suggestions_loop) {
             push @messages,
               {
                 type => 'error',
                 code => 'already_exists',
-                id   => $suggestion->{suggestionid}
+                id   => $s->{suggestionid}
               };
             last;
         }
@@ -147,6 +162,7 @@ if ( $op eq "add_confirm" ) {
         }
         $suggestion->{suggesteddate} = dt_from_string;
         $suggestion->{branchcode} = $input->param('branchcode') || C4::Context->userenv->{"branch"};
+        $suggestion->{STATUS} = 'ASKED';
 
         &NewSuggestion($suggestion);
         $patrons_pending_suggestions_count++;
-- 
2.39.5