use CGI;
-use C4::Auth;
-use C4::Output;
+use C4::Auth qw( get_template_and_user );
+use C4::Output qw( output_and_exit output_html_with_http_headers );
use Koha::ApiKeys;
use Koha::Patrons;
use Koha::Token;
-my $cgi = new CGI;
+my $cgi = CGI->new;
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{ template_name => 'members/apikeys.tt',
query => $cgi,
type => 'intranet',
- authnotrequired => 0,
flagsrequired => { borrowers => 'edit_borrowers' },
}
);
exit;
}
+if( $patron_id != $loggedinuser && !C4::Context->IsSuperLibrarian() ) {
+ # not the owner of the account viewing/editing own API keys, nor superlibrarian -> exit
+ print $cgi->redirect("/cgi-bin/koha/errors/403.pl"); # escape early
+ exit;
+}
+
my $op = $cgi->param('op') // '';
if ( $op eq 'generate' or
$op eq 'revoke' or
$op eq 'activate' ) {
- die "Wrong CSRF token"
- unless Koha::Token->new->check_csrf({
- session_id => scalar $cgi->cookie('CGISESSID'),
- token => scalar $cgi->param('csrf_token'),
- });
+ output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' )
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $cgi->cookie('CGISESSID'),
+ token => scalar $cgi->param('csrf_token'),
+ });
}
if ($op) {
}
);
$api_key->store;
- print $cgi->redirect( '/cgi-bin/koha/members/apikeys.pl?patron_id=' . $patron_id );
- exit;
+
+ $template->param(
+ fresh_api_key => $api_key,
+ api_keys => Koha::ApiKeys->search({ patron_id => $patron_id }),
+ );
}
if ( $op eq 'delete' ) {
}
}
-my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
-
$template->param(
- api_keys => \@api_keys,
+ api_keys => Koha::ApiKeys->search({ patron_id => $patron_id }),
csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
patron => $patron
);