From 7f87543b414c322dc0918901c4fa7e9a17d8b14a Mon Sep 17 00:00:00 2001 From: Owen Leonard Date: Tue, 17 May 2011 11:07:03 -0400 Subject: [PATCH] Fix for Bug 3140 - It is possible to email someone else's private list Adding check for ShelfPossibleAction("view") to make sure the logged in user has permission to view the selected list when downloading or emailing a list. Signed-off-by: Paul Poulain Signed-off-by: Ian Walls Signed-off-by: Chris Cormack (cherry picked from commit b65f6d0a99dc13e73aed5058a44a72895c829b32) Signed-off-by: Chris Nighswonger --- .../prog/en/modules/opac-downloadshelf.tt | 51 ++++++----- .../prog/en/modules/opac-sendshelfform.tt | 41 +++++---- opac/opac-downloadshelf.pl | 85 ++++++++++--------- opac/opac-sendshelf.pl | 9 ++ 4 files changed, 108 insertions(+), 78 deletions(-) diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt index 0b2124f6da..608c955801 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt @@ -7,29 +7,38 @@ -
[% IF ( format ) %] -

Your download should begin automatically.

-[% ELSE %] -
-
-
  1. - + + + + + [% FOREACH csv_profile IN csv_profiles %] + + [% END %] -
-
-
-
-
+ + +
+
+ -

Back to lists

+

Back to lists

-[% END %]
+ [% END %] +[% ELSE %] +
+

You do not have permission to download this list.

+
+

Back to lists

+[% END %] + diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt index 88b084e53b..1085ae0d76 100644 --- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt +++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt @@ -20,25 +20,30 @@ [% END %] [% ELSE %] + [% IF ( invalidlist ) %] +
+

You do not have permission to send this list.

+
+

Back to lists

+ [% ELSE %] +
- - -
-Sending your list -
  1. - - -
  2. -
  3. - - -
  4. -
  5. - -
-
Cancel
-
- +
+ Sending your list +
  1. + + +
  2. +
  3. + + +
  4. +
  5. + +
+
Cancel
+ + [% END %] [% END %] diff --git a/opac/opac-downloadshelf.pl b/opac/opac-downloadshelf.pl index ee9b0b1547..1057a16713 100755 --- a/opac/opac-downloadshelf.pl +++ b/opac/opac-downloadshelf.pl @@ -48,52 +48,59 @@ my $shelfid = $query->param('shelfid'); my $format = $query->param('format'); my $dbh = C4::Context->dbh; -if ($shelfid && $format) { - - my @shelf = GetShelf($shelfid); - my ($items, $totitems) = GetShelfContents($shelfid); - my $marcflavour = C4::Context->preference('marcflavour'); - my $output; - - # CSV - if ($format =~ /^\d+$/) { - my @biblios; - foreach (@$items) { - push @biblios, $_->{biblionumber}; - } - $output = marc2csv(\@biblios, $format); - - # Other formats - } else { - foreach my $biblio (@$items) { - my $biblionumber = $biblio->{biblionumber}; +if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) { - my $record = GetMarcBiblio($biblionumber, 1); - next unless $record; + if ($shelfid && $format) { - if ($format eq 'iso2709') { - $output .= $record->as_usmarc(); - } - elsif ($format eq 'ris' ) { - $output .= marc2ris($record); + my @shelf = GetShelf($shelfid); + my ($items, $totitems) = GetShelfContents($shelfid); + my $marcflavour = C4::Context->preference('marcflavour'); + my $output; + + # CSV + if ($format =~ /^\d+$/) { + my @biblios; + foreach (@$items) { + push @biblios, $_->{biblionumber}; } - elsif ($format eq 'bibtex') { - $output .= marc2bibtex($record, $biblionumber); + $output = marc2csv(\@biblios, $format); + + # Other formats + } else { + foreach my $biblio (@$items) { + my $biblionumber = $biblio->{biblionumber}; + + my $record = GetMarcBiblio($biblionumber, 1); + next unless $record; + + if ($format eq 'iso2709') { + $output .= $record->as_usmarc(); + } + elsif ($format eq 'ris' ) { + $output .= marc2ris($record); + } + elsif ($format eq 'bibtex') { + $output .= marc2bibtex($record, $biblionumber); + } } } - } - # If it was a CSV export we change the format after the export so the file extension is fine - $format = "csv" if ($format =~ m/^\d+$/); + # If it was a CSV export we change the format after the export so the file extension is fine + $format = "csv" if ($format =~ m/^\d+$/); + + print $query->header( + -type => 'application/octet-stream', + -'Content-Transfer-Encoding' => 'binary', + -attachment=>"shelf.$format"); + print $output; - print $query->header( - -type => 'application/octet-stream', - -'Content-Transfer-Encoding' => 'binary', - -attachment=>"shelf.$format"); - print $output; + } else { + $template->param(csv_profiles => GetCsvProfilesLoop()); + $template->param(shelfid => $shelfid); + output_html_with_http_headers $query, $cookie, $template->output; + } } else { - $template->param(csv_profiles => GetCsvProfilesLoop()); - $template->param(shelfid => $shelfid); + $template->param(invalidlist => 1); output_html_with_http_headers $query, $cookie, $template->output; -} +} \ No newline at end of file diff --git a/opac/opac-sendshelf.pl b/opac/opac-sendshelf.pl index 6a376c4d45..e3798f8657 100755 --- a/opac/opac-sendshelf.pl +++ b/opac/opac-sendshelf.pl @@ -51,6 +51,8 @@ my $email = $query->param('email'); my $dbh = C4::Context->dbh; +if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) { + if ( $email ) { my $email_from = C4::Context->preference('KohaAdminEmailAddress'); my $comment = $query->param('comment'); @@ -177,3 +179,10 @@ END_OF_BODY ); output_html_with_http_headers $query, $cookie, $template->output; } + +} else { + $template->param( invalidlist => 1, + url => "/cgi-bin/koha/opac-sendshelf.pl", + ); + output_html_with_http_headers $query, $cookie, $template->output; +} \ No newline at end of file -- 2.39.5