From 7b00bf7ddbdf3e763f3644ad8527ccba05504323 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 5 Jan 2022 15:56:24 +0100 Subject: [PATCH] Bug 29542: Prevent access to private list to non authorized users The catalogue permission is not enough. Test plan: Create a private list owned by user A Login with user B and hit (with XX the shelfid) /cgi-bin/koha/virtualshelves/sendshelf.pl?shelfid=XX You should get an error message "You do not have sufficient permission to continue." Login with user A => You should be able to send the list Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Kyle M Hall (cherry picked from commit 6ca49b550e54a0f1729c5d23838256a0e4542f91) Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit 2c41540b3bca62f8194b8392a283325411780ace) Signed-off-by: Wainui Witika-Park --- .../prog/en/modules/virtualshelves/sendshelfform.tt | 1 + virtualshelves/sendshelf.pl | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt index ec399270bf..3325ef4330 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt @@ -2,6 +2,7 @@ [% INCLUDE 'doc-head-close.inc' %] +[% INCLUDE 'blocking_errors.inc' %]
[% IF ( email ) %] [% IF ( SENT ) %] diff --git a/virtualshelves/sendshelf.pl b/virtualshelves/sendshelf.pl index 4ee9e46863..33c04cf95a 100755 --- a/virtualshelves/sendshelf.pl +++ b/virtualshelves/sendshelf.pl @@ -35,7 +35,7 @@ use Koha::Virtualshelves; my $query = new CGI; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( +my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => "virtualshelves/sendshelfform.tt", query => $query, @@ -47,7 +47,10 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( my $shelfid = $query->param('shelfid'); my $email = $query->param('email'); -my $dbh = C4::Context->dbh; +my $shelf = Koha::Virtualshelves->find( $shelfid ); + +output_and_exit( $query, $cookie, $template, 'insufficient_permission' ) + if $shelf && !$shelf->can_be_viewed( $loggedinuser ); if ($email) { my $comment = $query->param('comment'); @@ -67,7 +70,6 @@ if ($email) { } ); - my $shelf = Koha::Virtualshelves->find( $shelfid ); my $contents = $shelf->get_contents; my $marcflavour = C4::Context->preference('marcflavour'); my $iso2709; -- 2.39.5