Bug 25898: Prohibit indirect object notation

[srvgit] / admin / additional-fields.pl

diff --git a/admin/additional-fields.pl b/admin/additional-fields.pl
index be85381..e124878 100755 (executable)
--- a/admin/additional-fields.pl
+++ b/admin/additional-fields.pl
@@ -21,23 +21,31 @@ use CGI;
 use C4::Auth;
 use C4::Koha;
 use C4::Output;
-use Koha::AdditionalField;
+use Koha::AdditionalFields;
 
-my $input = new CGI;
+my $input = CGI->new;
+
+my %flagsrequired;
+$flagsrequired{parameters} = 'manage_additional_fields';
+
+my $tablename = $input->param('tablename');
+my $op = $input->param('op') // ( $tablename ? 'list' : 'list_tables' );
+
+if( $op ne 'list_tables' ){
+    $flagsrequired{acquisition} = 'order_manage' if $tablename eq 'aqbasket';
+    $flagsrequired{serials} = 'edit_subscription' if $tablename eq 'subscription';
+}
 
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {
         template_name   => "admin/additional-fields.tt",
         query           => $input,
         type            => "intranet",
-        authnotrequired => 0,
-        flagsrequired   => { parameters => 1 },
+        flagsrequired   => \%flagsrequired,
         debug           => 1,
     }
 );
 
-my $tablename = $input->param('tablename');
-my $op = $input->param('op') // ( $tablename ? 'list' : 'list_tables' );
 my $field_id = $input->param('field_id');
 my @messages;
 
@@ -49,14 +57,14 @@ if ( $op eq 'add' ) {
     if ( $field_id and $name ) {
         my $updated = 0;
         eval {
-            my $af = Koha::AdditionalField->new({
-                id => $field_id,
+            my $af = Koha::AdditionalFields->find($field_id);
+            $af->set({
                 name => $name,
                 authorised_value_category => $authorised_value_category,
                 marcfield => $marcfield,
                 searchable => $searchable,
             });
-            $updated = $af->update;
+            $updated = $af->store ? 1 : 0;
         };
         push @messages, {
             code => 'update',
@@ -72,7 +80,7 @@ if ( $op eq 'add' ) {
                 marcfield => $marcfield,
                 searchable => $searchable,
             });
-            $inserted = $af->insert;
+            $inserted = $af->store ? 1 : 0;
         };
         push @messages, {
             code => 'insert',
@@ -90,9 +98,8 @@ if ( $op eq 'add' ) {
 if ( $op eq 'delete' ) {
     my $deleted = 0;
     eval {
-        my $af = Koha::AdditionalField->new( { id => $field_id } );
+        my $af = Koha::AdditionalFields->find($field_id);
         $deleted = $af->delete;
-        $deleted = 0 if $deleted eq '0E0';
     };
     push @messages, {
         code => 'delete',
@@ -104,10 +111,10 @@ if ( $op eq 'delete' ) {
 if ( $op eq 'add_form' ) {
     my $field;
     if ( $field_id ) {
-        $field = Koha::AdditionalField->new( { id => $field_id } )->fetch;
+        $field = Koha::AdditionalFields->find($field_id);
     }
 
-    $tablename = $field->{tablename};
+    $tablename = $field->tablename if $field;
 
     $template->param(
         field => $field,
@@ -115,7 +122,7 @@ if ( $op eq 'add_form' ) {
 }
 
 if ( $op eq 'list' ) {
-    my $fields = Koha::AdditionalField->all( { tablename => $tablename } );
+    my $fields = Koha::AdditionalFields->search( { tablename => $tablename } );
     $template->param( fields => $fields );
 }