Bug 21993: Display a user-friendly message when the CSRF token is wrong

[koha.git] / members / apikeys.pl

diff --git a/members/apikeys.pl b/members/apikeys.pl
index 183483b..ffbd40d 100755 (executable)
--- a/members/apikeys.pl
+++ b/members/apikeys.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
 
 # This file is part of Koha.
 #
@@ -26,6 +26,7 @@ use C4::Output;
 
 use Koha::ApiKeys;
 use Koha::Patrons;
+use Koha::Token;
 
 my $cgi = new CGI;
 
@@ -34,7 +35,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
         query           => $cgi,
         type            => 'intranet',
         authnotrequired => 0,
-        flagsrequired   => { borrowers => 1 },
+        flagsrequired   => { borrowers => 'edit_borrowers' },
     }
 );
 
@@ -44,14 +45,27 @@ my $api_key   = $cgi->param('key')       // '';
 
 $patron = Koha::Patrons->find($patron_id) if $patron_id;
 
-if ( not defined $patron ) {
+if ( not defined $patron or
+     not C4::Context->preference('RESTOAuth2ClientCredentials') ) {
 
     # patron_id invalid -> exit
     print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); # escape early
     exit;
 }
 
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+     $op eq 'delete' or
+     $op eq 'revoke' or
+     $op eq 'activate' ) {
+
+    output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' )
+        unless Koha::Token->new->check_csrf({
+            session_id => scalar $cgi->cookie('CGISESSID'),
+            token      => scalar $cgi->param('csrf_token'),
+        });
+}
 
 if ($op) {
     if ( $op eq 'generate' ) {
@@ -67,8 +81,8 @@ if ($op) {
     }
 
     if ( $op eq 'delete' ) {
-        my $api_key = $cgi->param('key');
-        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+        my $api_key_id = $cgi->param('key');
+        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
         if ($key) {
             $key->delete;
         }
@@ -77,8 +91,8 @@ if ($op) {
     }
 
     if ( $op eq 'revoke' ) {
-        my $api_key = $cgi->param('key');
-        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+        my $api_key_id = $cgi->param('key');
+        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
         if ($key) {
             $key->active(0);
             $key->store;
@@ -88,8 +102,8 @@ if ($op) {
     }
 
     if ( $op eq 'activate' ) {
-        my $api_key = $cgi->param('key');
-        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+        my $api_key_id = $cgi->param('key');
+        my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
         if ($key) {
             $key->active(1);
             $key->store;
@@ -102,8 +116,9 @@ if ($op) {
 my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
 
 $template->param(
-    api_keys => \@api_keys,
-    patron   => $patron
+    api_keys   => \@api_keys,
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
+    patron     => $patron
 );
 
 output_html_with_http_headers $cgi, $cookie, $template->output;