Bug 14440: get_template_and_user can not have an empty template_name (quote*_ajax.pl)

This patch uses check_api_auth instead of get_template_and_user.

Test plan:
Confirm that you are still able to access to the quote editor with the
edit_quotes permission.
Confirm that you are not if you don't have the permission.

wget your_url/cgi-bin/koha/tools/quotes/quotes_ajax.pl
should return "403 : Forbidden."

Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>

diff --git a/tools/quotes/quotes-upload_ajax.pl b/tools/quotes/quotes-upload_ajax.pl
index d2817d3..753d4be 100755 (executable)
--- a/tools/quotes/quotes-upload_ajax.pl
+++ b/tools/quotes/quotes-upload_ajax.pl
@@ -32,16 +32,12 @@ use C4::Output;
 my $cgi = new CGI;
 my $dbh = C4::Context->dbh;
 
-my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
-    {
-        template_name   => "",
-        query           => $cgi,
-        type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { tools => 'edit_quotes' },
-        debug           => 1,
-    }
-);
+my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } );
+unless ($status eq "ok") {
+    print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
+    print to_json({ auth_status => $status });
+    exit 0;
+}
 
 my $success = 'true';
 

diff --git a/tools/quotes/quotes_ajax.pl b/tools/quotes/quotes_ajax.pl
index 5f44a7e..3145a8f 100755 (executable)
--- a/tools/quotes/quotes_ajax.pl
+++ b/tools/quotes/quotes_ajax.pl
@@ -31,16 +31,12 @@ my $cgi = CGI->new;
 my $dbh = C4::Context->dbh;
 my $sort_columns = ["id", "source", "text", "timestamp"];
 
-my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
-    {
-        template_name   => "",
-        query           => $cgi,
-        type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { tools => 'edit_quotes' },
-        debug           => 1,
-    }
-);
+my ( $status, $cookie, $sessionID ) = C4::Auth::check_api_auth( $cgi, { tools => 'edit_quotes' } );
+unless ($status eq "ok") {
+    print $cgi->header(-type => 'application/json', -status => '403 Forbidden');
+    print to_json({ auth_status => $status });
+    exit 0;
+}
 
 # NOTE: This is a collection of ajax functions for use with tools/quotes.pl