-#!/usr/bin/env perl
+#!/usr/bin/perl
# This file is part of Koha.
#
use Koha::ApiKeys;
use Koha::Patrons;
+use Koha::Token;
-my $cgi = new CGI;
+my $cgi = CGI->new;
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{ template_name => 'members/apikeys.tt',
query => $cgi,
type => 'intranet',
- authnotrequired => 0,
- flagsrequired => { borrowers => 1 },
+ flagsrequired => { borrowers => 'edit_borrowers' },
}
);
$patron = Koha::Patrons->find($patron_id) if $patron_id;
-if ( not defined $patron ) {
+if ( not defined $patron or
+ not C4::Context->preference('RESTOAuth2ClientCredentials') ) {
# patron_id invalid -> exit
print $cgi->redirect("/cgi-bin/koha/errors/404.pl"); # escape early
exit;
}
-my $op = $cgi->param('op');
+my $op = $cgi->param('op') // '';
+
+if ( $op eq 'generate' or
+ $op eq 'delete' or
+ $op eq 'revoke' or
+ $op eq 'activate' ) {
+
+ output_and_exit( $cgi, $cookie, $template, 'wrong_csrf_token' )
+ unless Koha::Token->new->check_csrf({
+ session_id => scalar $cgi->cookie('CGISESSID'),
+ token => scalar $cgi->param('csrf_token'),
+ });
+}
if ($op) {
if ( $op eq 'generate' ) {
}
if ( $op eq 'delete' ) {
- my $api_key = $cgi->param('key');
- my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+ my $api_key_id = $cgi->param('key');
+ my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
if ($key) {
$key->delete;
}
}
if ( $op eq 'revoke' ) {
- my $api_key = $cgi->param('key');
- my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+ my $api_key_id = $cgi->param('key');
+ my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
if ($key) {
$key->active(0);
$key->store;
}
if ( $op eq 'activate' ) {
- my $api_key = $cgi->param('key');
- my $key = Koha::ApiKeys->find({ patron_id => $patron_id, value => $api_key });
+ my $api_key_id = $cgi->param('key');
+ my $key = Koha::ApiKeys->find({ patron_id => $patron_id, client_id => $api_key_id });
if ($key) {
$key->active(1);
$key->store;
my @api_keys = Koha::ApiKeys->search({ patron_id => $patron_id });
$template->param(
- api_keys => \@api_keys,
- patron => $patron
+ api_keys => \@api_keys,
+ csrf_token => Koha::Token->new->generate_csrf({ session_id => scalar $cgi->cookie('CGISESSID') }),
+ patron => $patron
);
output_html_with_http_headers $cgi, $cookie, $template->output;