[Koha-patches] [PATCH] Fix for Bug 3140 - It is possible to email someone else's private list

Owen Leonard oleonard at myacpl.org
Tue May 17 17:24:18 CEST 2011 

Adding check for ShelfPossibleAction("view") to make sure the logged
in user has permission to view the selected list when downloading
or emailing a list.
---
 .../prog/en/modules/opac-downloadshelf.tt          |   51 +++++++-----
 .../prog/en/modules/opac-sendshelfform.tt          |   41 +++++----
 opac/opac-downloadshelf.pl                         |   85 +++++++++++---------
 opac/opac-sendshelf.pl                             |    9 ++
 4 files changed, 108 insertions(+), 78 deletions(-)

diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
index 0b2124f..608c955 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-downloadshelf.tt
@@ -7,29 +7,38 @@
 </script>
 </head>
 <body id="opac-downloadlist" style="padding:1em;">
-<div id="userdownloadshelf" class="container">[% IF ( format ) %]
-    <p>Your download should begin automatically.</p>
-[% ELSE %]
-<form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
-<fieldset class="rows">
-	<ol><li><label for="format">Download list:</label>
-        <select name="format" id="format">
-	    <option value="">-- Choose Format --</option>
-	    <option value="iso2709">iso2709</option>
-	    <option value="ris">RIS</option>
-	    <option value="bibtex">BibTex</option>
-	    [% FOREACH csv_profile IN csv_profiles %]
-	    <option value="[% csv_profile.export_format_id %]">CSV - [% csv_profile.profile %]</option>
-	    [% END %]
+<div id="userdownloadshelf" class="container">
+[% UNLESS ( invalidlist ) %]
+	[% IF ( format ) %]
+	    <p>Your download should begin automatically.</p>
+	[% ELSE %]
+	<form method="post" action="/cgi-bin/koha/opac-downloadshelf.pl">
+	<fieldset class="rows">
+		<ol><li><label for="format">Download list:</label>
+	        <select name="format" id="format">
+		    <option value="">-- Choose Format --</option>
+		    <option value="iso2709">iso2709</option>
+		    <option value="ris">RIS</option>
+		    <option value="bibtex">BibTex</option>
+		    [% FOREACH csv_profile IN csv_profiles %]
+		    <option value="[% csv_profile.export_format_id %]">CSV - [% csv_profile.profile %]</option>
+		    [% END %]
 
-	</select></li></ol>
-</fieldset>
-<fieldset class="action">	<input type="hidden" name="shelfid" value="[% shelfid %]" />
-	<input type="submit" name="save" value="Go" /></fieldset>
-    </form>
+		</select></li></ol>
+	</fieldset>
+	<fieldset class="action">	<input type="hidden" name="shelfid" value="[% shelfid %]" />
+		<input type="submit" name="save" value="Go" /></fieldset>
+	    </form>
 
-    <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+	    <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
 
-[% END %]</div>
+	[% END %]
+[% ELSE %]
+	<div class="dialog alert">
+		<p>You do not have permission to download this list.</p>
+	</div>
+	<p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+[% END %]
+</div>
 </body>
 </html>
diff --git a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
index 88b084e..1085ae0 100644
--- a/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
+++ b/koha-tmpl/opac-tmpl/prog/en/modules/opac-sendshelfform.tt
@@ -20,25 +20,30 @@
     [% END %]
     
 [% ELSE %]
+    [% IF ( invalidlist ) %]
+        <div class="dialog alert">
+        <p>You do not have permission to send this list.</p>
+        </div>
+        <p><a class="button close" href="/cgi-bin/koha/opac-shelves.pl">Back to lists</a></p>
+    [% ELSE %]
+        <form action="[% url %]" method="post" id="sendshelfform">
 
-<form action="[% url %]" method="post" id="sendshelfform">
-
-<fieldset class="rows"> 
-<legend>Sending your list</legend>
-<ol>   <li>
-        <label for="email">Email Address:</label>
-        <input type="text" id="email" name="email" size="43" class="focus" />
-    </li>
-    <li>
-            <label for="comment">Comment:</label>
-            <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
-    </li>
-    <li>
-        <input type="hidden" name="shelfid" value="[% shelfid %]" />
-    </li></ol></fieldset>
-       <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
-</form>
-
+        <fieldset class="rows">
+        <legend>Sending your list</legend>
+        <ol>   <li>
+                <label for="email">Email Address:</label>
+                <input type="text" id="email" name="email" size="43" class="focus" />
+            </li>
+            <li>
+                    <label for="comment">Comment:</label>
+                    <textarea id="comment" name="comment" rows="4" cols="40"></textarea>
+            </li>
+            <li>
+                <input type="hidden" name="shelfid" value="[% shelfid %]" />
+            </li></ol></fieldset>
+               <fieldset class="action"> <input type="submit" value="Send" /> <a class="cancel close" href="#">Cancel</a> </fieldset>
+        </form>
+    [% END %]
 [% END %]</div>
 </body>
 </html>
diff --git a/opac/opac-downloadshelf.pl b/opac/opac-downloadshelf.pl
index ee9b0b1..1057a16 100755
--- a/opac/opac-downloadshelf.pl
+++ b/opac/opac-downloadshelf.pl
@@ -48,52 +48,59 @@ my $shelfid = $query->param('shelfid');
 my $format  = $query->param('format');
 my $dbh     = C4::Context->dbh;
 
-if ($shelfid && $format) {
-
-    my @shelf               = GetShelf($shelfid);
-    my ($items, $totitems)  = GetShelfContents($shelfid);
-    my $marcflavour         = C4::Context->preference('marcflavour');
-    my $output;
-
-   # CSV 
-    if ($format =~ /^\d+$/) {
-        my @biblios;
-        foreach (@$items) {
-            push @biblios, $_->{biblionumber};
-        }
-        $output = marc2csv(\@biblios, $format);
-            
-    # Other formats
-    } else {
-        foreach my $biblio (@$items) {
-            my $biblionumber = $biblio->{biblionumber};
+if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) {
 
-            my $record = GetMarcBiblio($biblionumber, 1);
-            next unless $record;
+    if ($shelfid && $format) {
 
-            if ($format eq 'iso2709') {
-                $output .= $record->as_usmarc();
-            }
-            elsif ($format eq 'ris' ) {
-                $output .= marc2ris($record);
+        my @shelf               = GetShelf($shelfid);
+        my ($items, $totitems)  = GetShelfContents($shelfid);
+        my $marcflavour         = C4::Context->preference('marcflavour');
+        my $output;
+
+       # CSV
+        if ($format =~ /^\d+$/) {
+            my @biblios;
+            foreach (@$items) {
+                push @biblios, $_->{biblionumber};
             }
-            elsif ($format eq 'bibtex') {
-                $output .= marc2bibtex($record, $biblionumber);
+            $output = marc2csv(\@biblios, $format);
+                
+        # Other formats
+        } else {
+            foreach my $biblio (@$items) {
+                my $biblionumber = $biblio->{biblionumber};
+
+                my $record = GetMarcBiblio($biblionumber, 1);
+                next unless $record;
+
+                if ($format eq 'iso2709') {
+                    $output .= $record->as_usmarc();
+                }
+                elsif ($format eq 'ris' ) {
+                    $output .= marc2ris($record);
+                }
+                elsif ($format eq 'bibtex') {
+                    $output .= marc2bibtex($record, $biblionumber);
+                }
             }
         }
-    }
 
-    # If it was a CSV export we change the format after the export so the file extension is fine
-    $format = "csv" if ($format =~ m/^\d+$/);
+        # If it was a CSV export we change the format after the export so the file extension is fine
+        $format = "csv" if ($format =~ m/^\d+$/);
+
+        print $query->header(
+    	-type => 'application/octet-stream',
+    	-'Content-Transfer-Encoding' => 'binary',
+    	-attachment=>"shelf.$format");
+        print $output;
 
-    print $query->header(
-	-type => 'application/octet-stream',
-	-'Content-Transfer-Encoding' => 'binary',
-	-attachment=>"shelf.$format");
-    print $output;
+    } else {
+        $template->param(csv_profiles => GetCsvProfilesLoop());
+        $template->param(shelfid => $shelfid); 
+        output_html_with_http_headers $query, $cookie, $template->output;
+    }
 
 } else {
-    $template->param(csv_profiles => GetCsvProfilesLoop());
-    $template->param(shelfid => $shelfid); 
+    $template->param(invalidlist => 1); 
     output_html_with_http_headers $query, $cookie, $template->output;
-}
+}
\ No newline at end of file
diff --git a/opac/opac-sendshelf.pl b/opac/opac-sendshelf.pl
index 6a376c4..e3798f8 100755
--- a/opac/opac-sendshelf.pl
+++ b/opac/opac-sendshelf.pl
@@ -51,6 +51,8 @@ my $email   = $query->param('email');
 
 my $dbh          = C4::Context->dbh;
 
+if ( ShelfPossibleAction( (defined($borrowernumber) ? $borrowernumber : -1), $shelfid, 'view' ) ) {
+
 if ( $email ) {
     my $email_from = C4::Context->preference('KohaAdminEmailAddress');
     my $comment    = $query->param('comment');
@@ -177,3 +179,10 @@ END_OF_BODY
                     );
     output_html_with_http_headers $query, $cookie, $template->output;
 }
+
+} else {
+    $template->param( invalidlist => 1,
+                      url     => "/cgi-bin/koha/opac-sendshelf.pl",
+    );
+    output_html_with_http_headers $query, $cookie, $template->output;
+}
\ No newline at end of file
-- 
1.7.3

More information about the Koha-patches mailing list