# DO NOT MODIFY THIS OR ANYTHING ABOVE! md5sum:Cq/HSuTaBxZH2qSGEddoaQ
-# You can replace this text with custom code or comments, and it will be preserved on regeneration
+sub allows_add_by {
+ my ( $self, $userid ) = @_; # do not confuse with borrowernumber
+ my $flags = [
+ { tools => 'upload_general_files' },
+ { circulate => 'circulate_remaining_permissions' },
+ { tools => 'stage_marc_import' },
+ { tools => 'upload_local_cover_images' },
+ ];
+ require C4::Auth;
+ foreach( @$flags ) {
+ return 1 if C4::Auth::haspermission( $userid, $_ );
+ }
+ return;
+}
+
1;
use Modern::Perl;
use File::Temp qw/ tempdir /;
-use Test::More tests => 7;
+use Test::More tests => 8;
use Test::MockModule;
use t::lib::Mocks;
+use t::lib::TestBuilder;
use C4::Context;
+use Koha::Database;
use Koha::Upload;
+use Koha::Schema::Result::UploadedFile;
+my $schema = Koha::Database->new->schema;
+$schema->storage->txn_begin;
my $dbh = C4::Context->dbh;
-$dbh->{AutoCommit} = 0;
-$dbh->{RaiseError} = 1;
our $current_upload = 0;
our $uploads = [
plan tests => 2;
test07();
};
-$dbh->rollback;
+subtest 'Test08: UploadedFile->allows_add_by' => sub {
+ plan tests => 4;
+ test08();
+};
+$schema->storage->txn_rollback;
sub test01 {
# Delete existing records (for later tests)
is( @$cat >= 1, 1, 'getCategories returned at least one category' );
}
+sub test08 { # UploadedFile->allows_add_by
+ my $builder = t::lib::TestBuilder->new;
+ my $patron = $builder->build({
+ source => 'Borrower',
+ value => { flags => 0 }, #no permissions
+ });
+ my $patronid = $patron->{borrowernumber};
+ is( Koha::Schema::Result::UploadedFile->allows_add_by( $patron->{userid} ),
+ undef, 'Patron is not allowed to do anything' );
+
+ # add some permissions: edit_catalogue
+ my $fl = 2**9; # edit_catalogue
+ $schema->resultset('Borrower')->find( $patronid )->update({ flags => $fl });
+ is( Koha::Schema::Result::UploadedFile->allows_add_by( $patron->{userid} ),
+ undef, 'Patron is still not allowed to add uploaded files' );
+
+ # replace flags by all tools
+ $fl = 2**13; # tools
+ $schema->resultset('Borrower')->find( $patronid )->update({ flags => $fl });
+ is( Koha::Schema::Result::UploadedFile->allows_add_by( $patron->{userid} ),
+ 1, 'Patron should be allowed now to add uploaded files' );
+
+ # remove all tools and add upload_general_files only
+ $fl = 0; # no modules
+ $schema->resultset('Borrower')->find( $patronid )->update({ flags => $fl });
+ $builder->build({
+ source => 'UserPermission',
+ value => {
+ borrowernumber => $patronid,
+ module_bit => { module_bit => { flag => 'tools' } },
+ code => 'upload_general_files',
+ },
+ });
+ is( Koha::Schema::Result::UploadedFile->allows_add_by( $patron->{userid} ),
+ 1, 'Patron is still allowed to add uploaded files' );
+}
+
sub newCGI {
my ( $class, $hook ) = @_;
my $read = 0;
use C4::Context;
use C4::Auth qw/check_cookie_auth haspermission/;
use Koha::Upload;
+use Koha::Schema::Result::UploadedFile;
# upload-file.pl must authenticate the user
# before processing the POST request,
# requires that the session cookie already
# has been created.
-my $flags_required = [
- {circulate => 'circulate_remaining_permissions'},
- {tools => 'stage_marc_import'},
- {tools => 'upload_local_cover_images'}
-];
-
my %cookies = CGI::Cookie->fetch;
my $sid = $cookies{'CGISESSID'}->value;
-
-my $auth_failure = 1;
my ( $auth_status, $sessionID ) = check_cookie_auth( $sid );
my $uid = C4::Auth::get_session($sid)->param('id');
-foreach my $flag_required ( @{$flags_required} ) {
- if ( my $flags = haspermission( $uid, $flag_required ) ) {
- $auth_failure = 0 if $auth_status eq 'ok';
- }
-}
+my $allowed = Koha::Schema::Result::UploadedFile->allows_add_by( $uid );
-if ($auth_failure) {
+if( $auth_status ne 'ok' || !$allowed ) {
send_reply( 'denied' );
exit 0;
}