Bug 24878: Add authentication checks to the calendar tool

There is a security hole in 2 scripts that are used by the UI to edit
holidays.

To test:
1) Go to Tools -> Calendar, for Centerville
   Check no holiday for 30/4/2020
2) To add a new holiday without login execute
   a curl command with necessary parameters
3) Reload page from 1), verify the new holiday
   edit and delete the holiday
4) Apply the patch
5) Do 2) again, this time you get a lengthy output,
   with the magic words:

   <title>Koha &rsaquo;
       Log in to Koha
   </title>

Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

diff --git a/tools/exceptionHolidays.pl b/tools/exceptionHolidays.pl
index 90b17bc..1f3b967 100755 (executable)
--- a/tools/exceptionHolidays.pl
+++ b/tools/exceptionHolidays.pl
@@ -14,6 +14,9 @@ use Koha::DateUtils;
 my $input = new CGI;
 my $dbh = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
+
 my $branchcode = $input->param('showBranchName');
 my $weekday = $input->param('showWeekday');
 my $day = $input->param('showDay');

diff --git a/tools/newHolidays.pl b/tools/newHolidays.pl
index a161eaf..f13e524 100755 (executable)
--- a/tools/newHolidays.pl
+++ b/tools/newHolidays.pl
@@ -33,6 +33,8 @@ use Koha::DateUtils;
 my $input               = new CGI;
 my $dbh                 = C4::Context->dbh();
 
+checkauth($input, 0, {tools=> 'edit_calendar'}, 'intranet');
+
 our $branchcode          = $input->param('newBranchName');
 my $originalbranchcode  = $branchcode;
 our $weekday             = $input->param('newWeekday');