Bug 31028: Add catalog concern management page to staff

[koha-ffzg.git] / members / apikeys.pl

diff --git a/members/apikeys.pl b/members/apikeys.pl
index 619fc30..5f1cd27 100755 (executable)
--- a/members/apikeys.pl
+++ b/members/apikeys.pl
@@ -21,14 +21,14 @@ use Modern::Perl;
 
 use CGI;
 
-use C4::Auth;
-use C4::Output;
+use C4::Auth qw( get_template_and_user );
+use C4::Output qw( output_and_exit output_html_with_http_headers );
 
 use Koha::ApiKeys;
 use Koha::Patrons;
 use Koha::Token;
 
-my $cgi = new CGI;
+my $cgi = CGI->new;
 
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {   template_name   => 'members/apikeys.tt',
@@ -52,6 +52,12 @@ if ( not defined $patron or
     exit;
 }
 
+if( $patron_id != $loggedinuser && !C4::Context->IsSuperLibrarian() ) {
+    # not the owner of the account viewing/editing own API keys, nor superlibrarian -> exit
+    print $cgi->redirect("/cgi-bin/koha/errors/403.pl"); # escape early
+    exit;
+}
+
 my $op = $cgi->param('op') // '';
 
 if ( $op eq 'generate' or
@@ -75,8 +81,11 @@ if ($op) {
             }
         );
         $api_key->store;
-        print $cgi->redirect( '/cgi-bin/koha/members/apikeys.pl?patron_id=' . $patron_id );
-        exit;
+
+        $template->param(
+            fresh_api_key => $api_key,
+            api_keys      => Koha::ApiKeys->search({ patron_id => $patron_id }),
+        );
     }
 
     if ( $op eq 'delete' ) {
@@ -112,10 +121,8 @@ if ($op) {
     }
 }
 
-my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
-
 $template->param(
-    api_keys   => \@api_keys,
+    api_keys   => Koha::ApiKeys->search({ patron_id => $patron_id }),
     csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
     patron     => $patron
 );