From: Liz Rea <lrea@nekls.org>
Date: Thu, 28 Jul 2011 21:14:05 +0000 (-0500)
Subject: Bug 6641 -- Specially crafted URL can allow unauthorized download of MARC files from... 
X-Git-Url: http://git.rot13.org/?a=commitdiff_plain;h=7ad49e0caebaf1537413815905f9cf37cb2a9905;hp=9d5d1f8f966baa56857987c2c741d735326ac11e;p=koha.git

Bug 6641 -- Specially crafted URL can allow unauthorized download of MARC files from staff client

Making sure permissions are checked on download of MARC files from staff client

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
---

diff --git a/catalogue/export.pl b/catalogue/export.pl
index 9bd49dec47..3efdb21d30 100755
--- a/catalogue/export.pl
+++ b/catalogue/export.pl
@@ -8,9 +8,19 @@ use C4::Auth;
 use C4::Output;
 use C4::Biblio;
 use CGI;
-use C4::Auth;
+
+
 
 my $query = new CGI;
+my ( $template, $loggedinuser, $cookie ) = get_template_and_user({
+                                                                     template_name   => "tools/export.tt",
+                                                                     query           => $query,
+                                                                     type            => "intranet",
+                                                                     authnotrequired => 0,
+                                                                     flagsrequired   => { tools => 'export_catalog' },
+                                                                     debug           => 1,
+                                                                     });
+
 my $op=$query->param("op");
 my $format=$query->param("format");
 if ($op eq "export") {