Bug 13663: Fix permissions in upload-file.pl and upload-file-progress.pl

Test plan:
Verify that the circulate_remaining_permissions perm is enough to upload
.koc file.

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>

diff --git a/tools/upload-file-progress.pl b/tools/upload-file-progress.pl
index 072f44e..3f7d2cd 100755 (executable)
--- a/tools/upload-file-progress.pl
+++ b/tools/upload-file-progress.pl
@@ -25,14 +25,29 @@ use IO::File;
 use CGI qw ( -utf8 );
 use CGI::Session;
 use C4::Context;
-use C4::Auth qw/check_cookie_auth/;
+use C4::Auth qw/check_cookie_auth haspermission/;
 use C4::UploadedFile;
 use CGI::Cookie; # need to check cookies before
                  # having CGI parse the POST request
 
+my $flags_required = [
+               {circulate => 'circulate_remaining_permissions'},
+               {tools => 'stage_marc_import'},
+               {tools => 'upload_local_cover_images'}
+];
+
 my %cookies = fetch CGI::Cookie;
-my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value, { tools => '*' });
-if ($auth_status ne "ok") {
+
+my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value);
+
+my $auth_failure = 1;
+foreach my $flag_required (@{ $flags_required}) {
+               if (my $flags = haspermission(C4::Context->config('user'), $flag_required)) {
+                               $auth_failure = 0 if $auth_status eq 'ok';
+               }
+}
+
+if ($auth_failure) {
     my $reply = CGI->new("");
     print $reply->header(-type => 'text/html');
     print '{"progress":"0"}';

diff --git a/tools/upload-file.pl b/tools/upload-file.pl
index cc8325a..2dd66f0 100755 (executable)
--- a/tools/upload-file.pl
+++ b/tools/upload-file.pl
@@ -25,7 +25,7 @@ use IO::File;
 use CGI qw ( -utf8 );
 use CGI::Session;
 use C4::Context;
-use C4::Auth qw/check_cookie_auth/;
+use C4::Auth qw/check_cookie_auth haspermission/;
 use CGI::Cookie; # need to check cookies before
                  # having CGI parse the POST request
 use C4::UploadedFile;
@@ -38,9 +38,23 @@ use C4::UploadedFile;
 # requires that the session cookie already
 # have been created.
 
+my $flags_required = [
+               {circulate => 'circulate_remaining_permissions'},
+               {tools => 'stage_marc_import'},
+               {tools => 'upload_local_cover_images'}
+];
+
 my %cookies = fetch CGI::Cookie;
-my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value, { tools => '*' });
-if ($auth_status ne "ok") {
+
+my $auth_failure = 1;
+my ($auth_status, $sessionID) = check_cookie_auth($cookies{'CGISESSID'}->value);
+foreach my $flag_required (@{ $flags_required}) {
+               if (my $flags = haspermission(C4::Context->config('user'), $flag_required)) {
+                               $auth_failure = 0 if $auth_status eq 'ok';
+               }
+}
+
+if ($auth_failure) {
     $auth_status = 'denied' if $auth_status eq 'failed';
     send_reply($auth_status, "");
     exit 0;