projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 36f1fb6)
Bug 3280 Restrict Send basket feature
authorFrère Sébastien Marie <semarie-koha@latrappe.fr>
Mon, 5 Dec 2011 09:11:46 +0000 (10:11 +0100)
committerPaul Poulain <paul.poulain@biblibre.com>
Fri, 29 Jun 2012 14:23:30 +0000 (16:23 +0200)
In order to prevent spamming using sendbasket.pl, some counter-measure are done:
 - permit send basket only for authenticated user
 - permit send basket only if basket contains items
 - use username & email for 'Reply-To' field (with fallback to KohaAdminEmailAddress)
 - add field X-Orig-IP with IP of sender
 - add field X-Abuse-Report with KohaAdminEmailAddress

Note: we don't use forged 'To' address with patron email in order to
prevent be marked as spam (by SPF for example).

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
opac/opac-sendbasket.pl patch | blob | history

diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index 7787217..9b2484d 100755 (executable)
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -54,11 +54,19 @@ my $email_sender = $query->param('email_sender');
 my $dbh          = C4::Context->dbh;
 
 if ( $email_add ) {
+    my $user = GetMember(borrowernumber => $borrowernumber);
+    my $user_email = GetFirstValidEmailAddress($borrowernumber)
+    || C4::Context->preference('KohaAdminEmailAddress');
+
     my $email_from = C4::Context->preference('KohaAdminEmailAddress');
+    my $email_replyto = "$user->{firstname} $user->{surname} <$user_email>";
     my $comment    = $query->param('comment');
     my %mail = (
         To   => $email_add,
-        From => $email_from
+        From => $email_from,
+    'Reply-To' => $email_replyto,
+    'X-Orig-IP' => $ENV{'REMOTE_ADDR'},
+    'X-Abuse-Report' => C4::Context->preference('KohaAdminEmailAddress'),
     );
 
     my ( $template2, $borrowernumber, $cookie ) = get_template_and_user(
@@ -66,7 +74,7 @@ if ( $email_add ) {
             template_name   => "opac-sendbasket.tmpl",
             query           => $query,
             type            => "opac",
-            authnotrequired => 1,
+            authnotrequired => 0,
             flagsrequired   => { borrow => 1 },
         }
     );
@@ -106,8 +114,6 @@ if ( $email_add ) {
 
     my $resultsarray = \@results;
     
-    my $user = GetMember(borrowernumber => $borrowernumber); 
-    
     $template2->param(
         BIBLIO_RESULTS => $resultsarray,
         email_sender   => $email_sender,
@@ -162,14 +168,15 @@ $isofile
 $boundary--
 END_OF_BODY
 
-    # Sending mail
-    if ( sendmail %mail ) {
-        # do something if it works....
+    # Sending mail (if not empty basket)
+    if ( defined($iso2709) && sendmail %mail ) {
+    # do something if it works....
         $template->param( SENT      => "1" );
     }
     else {
         # do something if it doesnt work....
-        carp "Error sending mail: $Mail::Sendmail::error \n";
+    carp "Error sending mail: empty basket" if !defined($iso2709);
+        carp "Error sending mail: $Mail::Sendmail::error" if $Mail::Sendmail::error;
         $template->param( error => 1 );
     }
     $template->param( email_add => $email_add );
Koha ILS @ FFZG - based on git://git.koha.org/pub/scm/koha.git