Bug 25009: Avoid leakages in opac-showmarc.pl

This patch cleans opac-showmarc.pl so it doesn't allow retrieving
records from import batches without requiring any permissions in the
OPAC.

it does so by just removing the code portion that does that.

It also cleans the record fetch operation and how the record processor
is initialized to it actually works :-D

To test:
1. Perform a successful Z39.50 search in cataloguing (this fetches 20
   records usually)
2. Query your DB for a valid import_record_id:
  $ koha-mysql kohadev
  > SELECT * FROM import_records LIMIT 1;
3. Notice some of the MARCXML details (title, author, etc), and the
   import_record_id
4. Point your browser to the opac-showmarc.pl URL like this:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?importid=20
=> FAIL: You get the record! (Bonus: no field/subfield takes place)
5. Hide some obvious subfield on the framework for a known (to you)
   biblionumber
6. Point your browser to:
   http://kohadev.mydnsname.org:8080/cgi-bin/koha/opac-showmarc.pl?id=<biblionumber_here>
=> FAIL: No filtering takes place
7. Apply this patch
8. Repeat 4
=> SUCCESS: You get an error because you did a bad request (no id param)
9. Repeat 6
=> SUCCESS: Subfield filtering actually works!
10. Sign off :-D

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Joy Nelson <joy@bywatersolutions.com>
(cherry picked from commit d3ba9dc0fe423347f0e0e90b66be3ebeb7a6dec1)

Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>

diff --git a/opac/opac-showmarc.pl b/opac/opac-showmarc.pl
index 232eac5..a8b5849 100755 (executable)
--- a/opac/opac-showmarc.pl
+++ b/opac/opac-showmarc.pl
@@ -41,27 +41,36 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user({
     authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
     debug           => 1,
 });
-my $biblionumber = $input->param('id');
-$biblionumber   = int($biblionumber);
-my $importid= $input->param('importid');
-my $view= $input->param('viewas') || 'marc';
 
-my $record_processor = Koha::RecordProcessor->new({ filters => 'ViewPolicy' });
+my $biblionumber = $input->param('id');
 
-my $record;
-if ($importid) {
-    my ($marc) = GetImportRecordMarc($importid);
-    $record = MARC::Record->new_from_usmarc($marc);
+unless ( $biblionumber ) {
+    print $input->redirect("/cgi-bin/koha/errors/400.pl");
+    exit;
 }
-else {
-    $record = GetMarcBiblio({ biblionumber => $biblionumber });
-    my $framework = GetFrameworkCode($biblionumber);
-    $record_processor->options({
-        interface => 'opac',
-        frameworkcode => $framework
-    });
+
+my $biblio;
+$biblio = Koha::Biblios->find( $biblionumber, { prefetch => [ 'metadata' ] } );
+
+unless ( $biblio ) {
+    print $input->redirect('/cgi-bin/koha/errors/404.pl');
+    exit;
 }
 
+my $view= $input->param('viewas') || 'marc';
+
+my $record_processor = Koha::RecordProcessor->new(
+    {
+        filters => 'ViewPolicy',
+        options => {
+            interface     => 'opac',
+            frameworkcode => $biblio->frameworkcode
+        }
+    }
+);
+
+my $record = $biblio->metadata->record;
+
 if(!ref $record) {
     print $input->redirect("/cgi-bin/koha/errors/404.pl");
     exit;