From 718c57367e30dfea247d8ca815e1a8b401a9da3c Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 5 Jan 2022 15:56:24 +0100 Subject: [PATCH] Bug 29542: Prevent access to private list to non authorized users The catalogue permission is not enough. Test plan: Create a private list owned by user A Login with user B and hit (with XX the shelfid) /cgi-bin/koha/virtualshelves/sendshelf.pl?shelfid=XX You should get an error message "You do not have sufficient permission to continue." Login with user A => You should be able to send the list Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Andrew Fuerste-Henry --- .../prog/en/modules/virtualshelves/sendshelfform.tt | 1 + virtualshelves/sendshelf.pl | 13 +++++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt index c8ebd595f0..d607578c7c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt @@ -3,6 +3,7 @@ [% INCLUDE 'doc-head-close.inc' %] +[% INCLUDE 'blocking_errors.inc' %]
[% IF ( email ) %] [% IF ( SENT ) %] diff --git a/virtualshelves/sendshelf.pl b/virtualshelves/sendshelf.pl index f15e2c9f64..b62d5a46b3 100755 --- a/virtualshelves/sendshelf.pl +++ b/virtualshelves/sendshelf.pl @@ -27,13 +27,16 @@ use Try::Tiny; use C4::Auth; use C4::Biblio; use C4::Items; -use C4::Output; +use C4::Output qw( + output_html_with_http_headers + output_and_exit +); use Koha::Email; use Koha::Virtualshelves; my $query = CGI->new; -my ( $template, $borrowernumber, $cookie ) = get_template_and_user( +my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => "virtualshelves/sendshelfform.tt", query => $query, @@ -45,7 +48,10 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( my $shelfid = $query->param('shelfid'); my $to_address = $query->param('email'); -my $dbh = C4::Context->dbh; +my $shelf = Koha::Virtualshelves->find( $shelfid ); + +output_and_exit( $query, $cookie, $template, 'insufficient_permission' ) + if $shelf && !$shelf->can_be_viewed( $loggedinuser ); if ($to_address) { my $comment = $query->param('comment'); @@ -59,7 +65,6 @@ if ($to_address) { } ); - my $shelf = Koha::Virtualshelves->find( $shelfid ); my $contents = $shelf->get_contents; my $marcflavour = C4::Context->preference('marcflavour'); my $iso2709; -- 2.39.5