From 586bed1319592e05f5dc3acf64a1dba8cae69d6b Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 2 Sep 2021 11:51:48 +0200 Subject: [PATCH] Bug 28941: Filter suggestion inputs at the OPAC The following sequence is bad: 46 my $suggestion = $input->Vars; 181 &NewSuggestion($suggestion); All columns can be set when we insert the suggestion into the DB We definitely want to avoid the following fields to be set by the final user: acceptedby, accepteddate, STATUS, etc... Signed-off-by: Marcel de Rooy Signed-off-by: Julian Maurice Signed-off-by: Jonathan Druart --- opac/opac-suggestions.pl | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/opac/opac-suggestions.pl b/opac/opac-suggestions.pl index 1fb5ffb136..e4ed209033 100755 --- a/opac/opac-suggestions.pl +++ b/opac/opac-suggestions.pl @@ -43,12 +43,26 @@ use Koha::DateUtils qw( dt_from_string output_pref ); my $input = CGI->new; my $op = $input->param('op') || 'else'; my $biblionumber = $input->param('biblionumber'); -my $suggestion = $input->Vars; my $negcaptcha = $input->param('negcap'); my $suggested_by_anyone = $input->param('suggested_by_anyone') || 0; my $title_filter = $input->param('title_filter'); my $need_confirm = 0; +my $suggestion = { + title => scalar $input->param('title'), + author => scalar $input->param('author'), + copyrightdate => scalar $input->param('copyrightdate'), + isbn => scalar $input->param('isbn'), + publishercode => scalar $input->param('publishercode'), + collectiontitle => scalar $input->param('collectiontitle'), + place => scalar $input->param('place'), + quantity => scalar $input->param('quantity'), + itemtype => scalar $input->param('itemtype'), + branchcode => scalar $input->param('branchcode'), + patronreason => scalar $input->param('patronreason'), + note => scalar $input->param('note'), +}; + # If a spambot accidentally populates the 'negcap' field in the sugesstions form, then silently skip and return. if ($negcaptcha ) { print $input->redirect("/cgi-bin/koha/opac-suggestions.pl"); @@ -85,11 +99,6 @@ else { ); } -# don't pass 'negcap' column to DB, else DBI::Class will error -# DBIx::Class::Row::store_column(): No such column 'negcap' on Koha::Schema::Result::Suggestion at Koha/C4/Suggestions.pm -delete $suggestion->{negcap}; -delete $suggestion->{$_} foreach qw; - if ( $op eq 'else' ) { if ( C4::Context->preference("OPACViewOthersSuggestions") ) { if ( $borrowernumber ) { @@ -157,12 +166,12 @@ if ( $op eq "add_confirm" ) { elsif ( @$suggestions_loop >= 1 ) { #some suggestion are answering the request Donot Add - for my $suggestion (@$suggestions_loop) { + for my $s (@$suggestions_loop) { push @messages, { type => 'error', code => 'already_exists', - id => $suggestion->{suggestionid} + id => $s->{suggestionid} }; last; } @@ -177,6 +186,7 @@ if ( $op eq "add_confirm" ) { } $suggestion->{suggesteddate} = dt_from_string; $suggestion->{branchcode} = $input->param('branchcode') || C4::Context->userenv->{"branch"}; + $suggestion->{STATUS} = 'ASKED'; &NewSuggestion($suggestion); $patrons_pending_suggestions_count++; -- 2.39.5