Bug 31028: Add catalog concern management page to staff

[koha-ffzg.git] / members / apikeys.pl

diff --git a/members/apikeys.pl b/members/apikeys.pl
index fda98ed..5f1cd27 100755 (executable)
--- a/members/apikeys.pl
+++ b/members/apikeys.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/env perl
+#!/usr/bin/perl
 
 # This file is part of Koha.
 #
@@ -21,20 +21,20 @@ use Modern::Perl;
 
 use CGI;
 
-use C4::Auth;
-use C4::Output;
+use C4::Auth qw( get_template_and_user );
+use C4::Output qw( output_and_exit output_html_with_http_headers );
 
 use Koha::ApiKeys;
 use Koha::Patrons;
+use Koha::Token;
 
-my $cgi = new CGI;
+my $cgi = CGI->new;
 
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {   template_name   => 'members/apikeys.tt',
         query           => $cgi,
         type            => 'intranet',
-        authnotrequired => 0,
-        flagsrequired   => { borrowers => 1 },
+        flagsrequired   => { borrowers => 'edit_borrowers' },
     }
 );
 
@@ -44,14 +44,33 @@ my $api_key   = $cgi->param('key')       // '';
 
 $patron = Koha::Patrons->find($patron_id) if $patron_id;
 
-if ( not defined $patron ) {
+if ( not defined $patron or
+     not C4::Context->preference('RESTOAuth2ClientCredentials') ) {
 
     # patron_id invalid -> exit
     print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); # escape early
     exit;
 }
 
-my $op = $cgi->param('op');
+if( $patron_id != $loggedinuser && !C4::Context->IsSuperLibrarian() ) {
+    # not the owner of the account viewing/editing own API keys, nor superlibrarian -> exit
+    print $cgi->redirect("/cgi-bin/koha/errors/403.pl"); # escape early
+    exit;
+}
+
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+     $op eq 'delete' or
+     $op eq 'revoke' or
+     $op eq 'activate' ) {
+
+    output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' )
+        unless Koha::Token->new->check_csrf({
+            session_id => scalar $cgi->cookie('CGISESSID'),
+            token      => scalar $cgi->param('csrf_token'),
+        });
+}
 
 if ($op) {
     if ( $op eq 'generate' ) {
@@ -62,8 +81,11 @@ if ($op) {
             }
         );
         $api_key->store;
-        print $cgi->redirect( '/cgi-bin/koha/members/apikeys.pl?patron_id=' . $patron_id );
-        exit;
+
+        $template->param(
+            fresh_api_key => $api_key,
+            api_keys      => Koha::ApiKeys->search({ patron_id => $patron_id }),
+        );
     }
 
     if ( $op eq 'delete' ) {
@@ -99,11 +121,10 @@ if ($op) {
     }
 }
 
-my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
-
 $template->param(
-    api_keys => \@api_keys,
-    patron   => $patron
+    api_keys   => Koha::ApiKeys->search({ patron_id => $patron_id }),
+    csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
+    patron     => $patron
 );
 
 output_html_with_http_headers $cgi, $cookie, $template->output;