From bbc42b204b2ded11a9462c9bbd4be7dd99e3a44d Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 24 Jun 2015 11:03:22 +0200 Subject: [PATCH] =?utf8?q?=C2=A0Bug=2014440:=20get=5Ftemplate=5Fand=5Fuser?= =?utf8?q?=20can=20not=20have=20an=20empty=20template=5Fname=20(quote*=5Fa?= =?utf8?q?jax.pl)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch uses check_api_auth instead of get_template_and_user. Test plan: Confirm that you are still able to access to the quote editor with the edit_quotes permission. Confirm that you are not if you don't have the permission. wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl should return "403 : Forbidden." Signed-off-by: Indranil Das Gupta (L2C2 Technologies) Signed-off-by: Tomas Cohen Arazi Signed-off-by: Katrin Fischer --- tools/quotes/quotes-upload_ajax.pl | 16 ++++++---------- tools/quotes/quotes_ajax.pl | 16 ++++++---------- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/tools/quotes/quotes-upload_ajax.pl b/tools/quotes/quotes-upload_ajax.pl index d2817d3af1..753d4be49a 100755 --- a/tools/quotes/quotes-upload_ajax.pl +++ b/tools/quotes/quotes-upload_ajax.pl @@ -32,16 +32,12 @@ use C4::Output; my $cgi = new CGI; my $dbh = C4::Context->dbh; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( - { - template_name => "", - query => $cgi, - type => "intranet", - authnotrequired => 0, - flagsrequired => { tools => 'edit_quotes' }, - debug => 1, - } -); +my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } ); +unless ($status eq "ok") { + print $cgi->header(-type => 'application/json', -status => '403 Forbidden'); + print to_json({ auth_status => $status }); + exit 0; +} my $success = 'true'; diff --git a/tools/quotes/quotes_ajax.pl b/tools/quotes/quotes_ajax.pl index 5f44a7efba..3145a8f52b 100755 --- a/tools/quotes/quotes_ajax.pl +++ b/tools/quotes/quotes_ajax.pl @@ -31,16 +31,12 @@ my $cgi = CGI->new; my $dbh = C4::Context->dbh; my $sort_columns = ["id", "source", "text", "timestamp"]; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( - { - template_name => "", - query => $cgi, - type => "intranet", - authnotrequired => 0, - flagsrequired => { tools => 'edit_quotes' }, - debug => 1, - } -); +my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } ); +unless ($status eq "ok") { + print $cgi->header(-type => 'application/json', -status => '403 Forbidden'); + print to_json({ auth_status => $status }); + exit 0; +} # NOTE: This is a collection of ajax functions for use with tools/quotes.pl -- 2.39.5