[Koha-patches] [PATCH] Fix for Bug 3140 - It is possible to email someone else's private list
Owen Leonard
oleonard at myacpl.org
Tue May 17 17:24:18 CEST 2011
Adding check for ShelfPossibleAction("view") to make sure the logged
in user has permission to view the selected list when downloading
or emailing a list.
---
.../prog/en/modules/opac-downloadshelf.tt | 51 +++++++-----
.../prog/en/modules/opac-sendshelfform.tt | 41 +++++----
opac/opac-downloadshelf.pl | 85 +++++++++++---------
opac/opac-sendshelf.pl | 9 ++
4 files changed, 108 insertions(+), 78 deletions(-)
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
index 0b2124f..608c955 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
@@ -7,29 +7,38 @@
</script>
</head>
<body id="opac-downloadlist" style="padding:1em;">
-<div id="userdownloadshelf" class="container">[% IF ( format ) %]
- <p>Your download should begin automatically.</p>
-[% ELSE %]
-<form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
-<fieldset class="rows">
- <ol><li><label for="format">Download list:</label>
- <select name="format" id="format">
- <option value="">-- Choose Format --</option>
- <option value="iso2709">iso2709</option>
- <option value="ris">RIS</option>
- <option value="bibtex">BibTex</option>
- [% FOREACH csv_profile IN csv_profiles %]
- <option value="[% csv_profile.export_format_id %]">CSV - [% csv_profile.profile %]</option>
- [% END %]
+<div id="userdownloadshelf" class="container">
+[% UNLESS ( invalidlist ) %]
+ [% IF ( format ) %]
+ <p>Your download should begin automatically.</p>
+ [% ELSE %]
+ <form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
+ <fieldset class="rows">
+ <ol><li><label for="format">Download list:</label>
+ <select name="format" id="format">
+ <option value="">-- Choose Format --</option>
+ <option value="iso2709">iso2709</option>
+ <option value="ris">RIS</option>
+ <option value="bibtex">BibTex</option>
+ [% FOREACH csv_profile IN csv_profiles %]
+ <option value="[% csv_profile.export_format_id %]">CSV - [% csv_profile.profile %]</option>
+ [% END %]
- </select></li></ol>
-</fieldset>
-<fieldset class="action"> <input type="hidden" name="shelfid" value="[% shelfid %]" />
- <input type="submit" name="save" value="Go" /></fieldset>
- </form>
+ </select></li></ol>
+ </fieldset>
+ <fieldset class="action"> <input type="hidden" name="shelfid" value="[% shelfid %]" />
+ <input type="submit" name="save" value="Go" /></fieldset>
+ </form>
- <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+ <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
-[% END %]</div>
+ [% END %]
+[% ELSE %]
+ <div class="dialog alert">
+ <p>You do not have permission to download this list.</p>
+ </div>
+ <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+[% END %]
+</div>
</body>
</html>
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
index 88b084e..1085ae0 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
@@ -20,25 +20,30 @@
[% END %]
[% ELSE %]
+ [% IF ( invalidlist ) %]
+ <div class="dialog alert">
+ <p>You do not have permission to send this list.</p>
+ </div>
+ <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+ [% ELSE %]
+ <form action="[% url %]" method="post" id="sendshelfform">
-<form action="[% url %]" method="post" id="sendshelfform">
-
-<fieldset class="rows">
-<legend>Sending your list</legend>
-<ol> <li>
- <label for="email">Email Address:</label>
- <input type="text" id="email" name="email" size="43" class="focus" />
- </li>
- <li>
- <label for="comment">Comment:</label>
- <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
- </li>
- <li>
- <input type="hidden" name="shelfid" value="[% shelfid %]" />
- </li></ol></fieldset>
- <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
-</form>
-
+ <fieldset class="rows">
+ <legend>Sending your list</legend>
+ <ol> <li>
+ <label for="email">Email Address:</label>
+ <input type="text" id="email" name="email" size="43" class="focus" />
+ </li>
+ <li>
+ <label for="comment">Comment:</label>
+ <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
+ </li>
+ <li>
+ <input type="hidden" name="shelfid" value="[% shelfid %]" />
+ </li></ol></fieldset>
+ <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+ </form>
+ [% END %]
[% END %]</div>
</body>
</html>
diff --git a/opac/opac-downloadshelf.pl b/opac/opac-downloadshelf.pl
index ee9b0b1..1057a16 100755
--- a/opac/opac-downloadshelf.pl
+++ b/opac/opac-downloadshelf.pl
@@ -48,52 +48,59 @@ my $shelfid = $query->param('shelfid');
my $format = $query->param('format');
my $dbh = C4::Context->dbh;
-if ($shelfid && $format) {
-
- my @shelf = GetShelf($shelfid);
- my ($items, $totitems) = GetShelfContents($shelfid);
- my $marcflavour = C4::Context->preference('marcflavour');
- my $output;
-
- # CSV
- if ($format =~ /^\d+$/) {
- my @biblios;
- foreach (@$items) {
- push @biblios, $_->{biblionumber};
- }
- $output = marc2csv(\@biblios, $format);
-
- # Other formats
- } else {
- foreach my $biblio (@$items) {
- my $biblionumber = $biblio->{biblionumber};
+if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) {
- my $record = GetMarcBiblio($biblionumber, 1);
- next unless $record;
+ if ($shelfid && $format) {
- if ($format eq 'iso2709') {
- $output .= $record->as_usmarc();
- }
- elsif ($format eq 'ris' ) {
- $output .= marc2ris($record);
+ my @shelf = GetShelf($shelfid);
+ my ($items, $totitems) = GetShelfContents($shelfid);
+ my $marcflavour = C4::Context->preference('marcflavour');
+ my $output;
+
+ # CSV
+ if ($format =~ /^\d+$/) {
+ my @biblios;
+ foreach (@$items) {
+ push @biblios, $_->{biblionumber};
}
- elsif ($format eq 'bibtex') {
- $output .= marc2bibtex($record, $biblionumber);
+ $output = marc2csv(\@biblios, $format);
+
+ # Other formats
+ } else {
+ foreach my $biblio (@$items) {
+ my $biblionumber = $biblio->{biblionumber};
+
+ my $record = GetMarcBiblio($biblionumber, 1);
+ next unless $record;
+
+ if ($format eq 'iso2709') {
+ $output .= $record->as_usmarc();
+ }
+ elsif ($format eq 'ris' ) {
+ $output .= marc2ris($record);
+ }
+ elsif ($format eq 'bibtex') {
+ $output .= marc2bibtex($record, $biblionumber);
+ }
}
}
- }
- # If it was a CSV export we change the format after the export so the file extension is fine
- $format = "csv" if ($format =~ m/^\d+$/);
+ # If it was a CSV export we change the format after the export so the file extension is fine
+ $format = "csv" if ($format =~ m/^\d+$/);
+
+ print $query->header(
+ -type => 'application/octet-stream',
+ -'Content-Transfer-Encoding' => 'binary',
+ -attachment=>"shelf.$format");
+ print $output;
- print $query->header(
- -type => 'application/octet-stream',
- -'Content-Transfer-Encoding' => 'binary',
- -attachment=>"shelf.$format");
- print $output;
+ } else {
+ $template->param(csv_profiles => GetCsvProfilesLoop());
+ $template->param(shelfid => $shelfid);
+ output_html_with_http_headers $query, $cookie, $template->output;
+ }
} else {
- $template->param(csv_profiles => GetCsvProfilesLoop());
- $template->param(shelfid => $shelfid);
+ $template->param(invalidlist => 1);
output_html_with_http_headers $query, $cookie, $template->output;
-}
+}
\ No newline at end of file
diff --git a/opac/opac-sendshelf.pl b/opac/opac-sendshelf.pl
index 6a376c4..e3798f8 100755
--- a/opac/opac-sendshelf.pl
+++ b/opac/opac-sendshelf.pl
@@ -51,6 +51,8 @@ my $email = $query->param('email');
my $dbh = C4::Context->dbh;
+if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) {
+
if ( $email ) {
my $email_from = C4::Context->preference('KohaAdminEmailAddress');
my $comment = $query->param('comment');
@@ -177,3 +179,10 @@ END_OF_BODY
);
output_html_with_http_headers $query, $cookie, $template->output;
}
+
+} else {
+ $template->param( invalidlist => 1,
+ url => "/cgi-bin/koha/opac-sendshelf.pl",
+ );
+ output_html_with_http_headers $query, $cookie, $template->output;
+}
\ No newline at end of file
--
1.7.3
More information about the Koha-patches
mailing list