From 03d4ed2468bb9ab97b1f7b7d9e29507dc815a8b3 Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@esilibrary.com>
Date: Tue, 4 Feb 2014 15:54:33 +0000
Subject: [PATCH] Bug 11666: add permission check for MARC framework
 import/export

This patch makes the MARC framework import/export script require
that the staff user be logged in with appropriate permissions for
managing the MARC frameworks.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de>

I can confirm the bug and the solution. After applying the patch
downloading the file without logging in first is no longer possible.
Also passes tests and QA script.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 admin/import_export_framework.pl | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/admin/import_export_framework.pl b/admin/import_export_framework.pl
index 8674ebf619..555eec5e01 100755
--- a/admin/import_export_framework.pl
+++ b/admin/import_export_framework.pl
@@ -21,11 +21,31 @@
 use strict;
 use warnings;
 use CGI;
+use CGI::Cookie;
 use C4::Context;
+use C4::Auth qw/check_cookie_auth/;
 use C4::ImportExportFramework;
 
+my %cookies = CGI::Cookie->fetch();
+my $authenticated = 0;
+my ($auth_status, $sessionID);
+if (exists $cookies{'CGISESSID'}) {
+    ($auth_status, $sessionID) = check_cookie_auth(
+        $cookies{'CGISESSID'}->value,
+        { parameters => 'parameters_remaining_permissions' },
+    );
+}
+if ($auth_status eq 'ok') {
+    $authenticated = 1;
+}
+
 my $input = new CGI;
 
+unless ($authenticated) {
+    print $input->header(-type => 'text/plain', -status => '403 Forbidden');
+    exit 0;
+}
+
 my $frameworkcode = $input->param('frameworkcode') || '';
 my $action = $input->param('action') || 'export';
 
-- 
2.20.1