Bug 14449: Add authentication check on retrieving item info when rece…

…iving The script catalogue/getitem-ajax.pl is called by acqui/orderreceive.pl when item is receipt. There is not auth check done, this means anybody can retrieve item info. Test plan: With the acquisition => order_receive permission, try to receive an item. It should work. Signed-off-by: Chris Cormack <[email protected]> Very easy to test. Signed-off-by: Kyle M Hall <[email protected]> Signed-off-by: Tomas Cohen Arazi <[email protected]>
minusdavid · Jul 20, 2015 · ea263a2 · ea263a2
1 parent cd9a827
commit ea263a2
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/catalogue/getitem-ajax.pl b/catalogue/getitem-ajax.pl
@@ -21,13 +21,22 @@
 use CGI qw ( -utf8 );
 use JSON;
 
+use C4::Auth;
 use C4::Biblio;
 use C4::Branch;
 use C4::Items;
 use C4::Koha;
 use C4::Output;
 
 my $cgi = new CGI;
+
+my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { acquisition => 'order_receive' } );
+unless ($status eq "ok") {
+    print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
+    print to_json({ auth_status => $status });
+    exit 0;
+}
+
 my $item = {};
 my $itemnumber = $cgi->param('itemnumber');