Bug 24878: Add authentication checks to the calendar tool

There is a security hole in 2 scripts that are used by the UI to edit
holidays.

To test:
1) Go to Tools -> Calendar, for Centerville
   Check no holiday for 30/4/2020
2) To add a new holiday without login execute
   a curl command with necessary parameters
3) Reload page from 1), verify the new holiday
   edit and delete the holiday
4) Apply the patch
5) Do 2) again, this time you get a lengthy output,
   with the magic words:

   <title>Koha &rsaquo;
       Log in to Koha
   </title>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Only tested newHoliday but the fix is the same.
No errors

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Joy Nelson <joy@bywatersolutions.com>
(cherry picked from commit 656e7814b34d07534fa3a044f9cc7a8f4f4feea6)

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

diff --git a/tools/exceptionHolidays.pl b/tools/exceptionHolidays.pl
index 90b17bc..1f3b967 100755 (executable)
--- a/tools/exceptionHolidays.pl
+++ b/tools/exceptionHolidays.pl
@@ -14,6 +14,9 @@ use Koha::DateUtils;
 my $input = new CGI;
 my $dbh = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
+
 my $branchcode = $input->param('showBranchName');
 my $weekday = $input->param('showWeekday');
 my $day = $input->param('showDay');

diff --git a/tools/newHolidays.pl b/tools/newHolidays.pl
index a161eaf..f13e524 100755 (executable)
--- a/tools/newHolidays.pl
+++ b/tools/newHolidays.pl
@@ -33,6 +33,8 @@ use Koha::DateUtils;
 my $input               = new CGI;
 my $dbh                 = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
 our $branchcode          = $input->param('newBranchName');
 my $originalbranchcode  = $branchcode;
 our $weekday             = $input->param('newWeekday');