From 2fcc02321f0f56760cfdbd67a29917e4f0ba278b Mon Sep 17 00:00:00 2001 From: Alex Arnaud Date: Thu, 11 Jun 2015 10:55:35 +0200 Subject: [PATCH] Bug 13663: Fix permissions in upload-file.pl and upload-file-progress.pl Test plan: Verify that the circulate_remaining_permissions perm is enough to upload .koc file. Signed-off-by: Indranil Das Gupta (L2C2 Technologies) Signed-off-by: Jonathan Druart Signed-off-by: Tomas Cohen Arazi --- tools/upload-file-progress.pl | 21 ++++++++++++++++++--- tools/upload-file.pl | 20 +++++++++++++++++--- 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/tools/upload-file-progress.pl b/tools/upload-file-progress.pl index 072f44e482..3f7d2cd1fc 100755 --- a/tools/upload-file-progress.pl +++ b/tools/upload-file-progress.pl @@ -25,14 +25,29 @@ use IO::File; use CGI qw ( -utf8 ); use CGI::Session; use C4::Context; -use C4::Auth qw/check_cookie_auth/; +use C4::Auth qw/check_cookie_auth haspermission/; use C4::UploadedFile; use CGI::Cookie; # need to check cookies before # having CGI parse the POST request +my $flags_required = [ + {circulate => 'circulate_remaining_permissions'}, + {tools => 'stage_marc_import'}, + {tools => 'upload_local_cover_images'} +]; + my %cookies = fetch CGI::Cookie; -my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value, { tools => '*' }); -if ($auth_status ne "ok") { + +my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value); + +my $auth_failure = 1; +foreach my $flag_required (@{ $flags_required}) { + if (my $flags = haspermission(C4::Context->config('user'), $flag_required)) { + $auth_failure = 0 if $auth_status eq 'ok'; + } +} + +if ($auth_failure) { my $reply = CGI->new(""); print $reply->header(-type => 'text/html'); print '{"progress":"0"}'; diff --git a/tools/upload-file.pl b/tools/upload-file.pl index cc8325a014..2dd66f0ed2 100755 --- a/tools/upload-file.pl +++ b/tools/upload-file.pl @@ -25,7 +25,7 @@ use IO::File; use CGI qw ( -utf8 ); use CGI::Session; use C4::Context; -use C4::Auth qw/check_cookie_auth/; +use C4::Auth qw/check_cookie_auth haspermission/; use CGI::Cookie; # need to check cookies before # having CGI parse the POST request use C4::UploadedFile; @@ -38,9 +38,23 @@ use C4::UploadedFile; # requires that the session cookie already # have been created. +my $flags_required = [ + {circulate => 'circulate_remaining_permissions'}, + {tools => 'stage_marc_import'}, + {tools => 'upload_local_cover_images'} +]; + my %cookies = fetch CGI::Cookie; -my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value, { tools => '*' }); -if ($auth_status ne "ok") { + +my $auth_failure = 1; +my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value); +foreach my $flag_required (@{ $flags_required}) { + if (my $flags = haspermission(C4::Context->config('user'), $flag_required)) { + $auth_failure = 0 if $auth_status eq 'ok'; + } +} + +if ($auth_failure) { $auth_status = 'denied' if $auth_status eq 'failed'; send_reply($auth_status, ""); exit 0; -- 2.39.5