From 6ca49b550e54a0f1729c5d23838256a0e4542f91 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 5 Jan 2022 15:56:24 +0100 Subject: [PATCH] Bug 29542: Prevent access to private list to non authorized users The catalogue permission is not enough. Test plan: Create a private list owned by user A Login with user B and hit (with XX the shelfid) /cgi-bin/koha/virtualshelves/sendshelf.pl?shelfid=XX You should get an error message "You do not have sufficient permission to continue." Login with user A => You should be able to send the list Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Kyle M Hall --- .../prog/en/modules/virtualshelves/sendshelfform.tt | 1 + virtualshelves/sendshelf.pl | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt index c8ebd595f0..d607578c7c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt @@ -3,6 +3,7 @@ [% INCLUDE 'doc-head-close.inc' %] +[% INCLUDE 'blocking_errors.inc' %]
[% IF ( email ) %] [% IF ( SENT ) %] diff --git a/virtualshelves/sendshelf.pl b/virtualshelves/sendshelf.pl index bc47249744..ed719c1b44 100755 --- a/virtualshelves/sendshelf.pl +++ b/virtualshelves/sendshelf.pl @@ -33,13 +33,16 @@ use C4::Biblio qw( GetMarcSubjects ); use C4::Items qw( GetItemsInfo ); -use C4::Output qw( output_html_with_http_headers ); +use C4::Output qw( + output_html_with_http_headers + output_and_exit +); use Koha::Email; use Koha::Virtualshelves; my $query = CGI->new; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( +my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => "virtualshelves/sendshelfform.tt", query => $query, @@ -51,7 +54,10 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( my $shelfid = $query->param('shelfid'); my $to_address = $query->param('email'); -my $dbh = C4::Context->dbh; +my $shelf = Koha::Virtualshelves->find( $shelfid ); + +output_and_exit( $query, $cookie, $template, 'insufficient_permission' ) + if $shelf && !$shelf->can_be_viewed( $loggedinuser ); if ($to_address) { my $comment = $query->param('comment'); @@ -65,7 +71,6 @@ if ($to_address) { } ); - my $shelf = Koha::Virtualshelves->find( $shelfid ); my $contents = $shelf->get_contents; my $marcflavour = C4::Context->preference('marcflavour'); my $iso2709; -- 2.39.5