lp1777677 Security tweaks

- Refactor test notification API to check if requestor
is user,and if not, then check if requestor has
permissions to view users at target user's home ou.
- Change event_def_type references to "hook"
- Separate out sendTestEmail and sendTestSMS functions
in frontend to prevent potential misuse of functionality.

Signed-off-by: Kyle Huckins <khuckins@catalyte.io>
Signed-off-by: Terran McCanna <tmccanna@georgialibraries.org>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 35abb96..e0497b6 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -4362,10 +4362,12 @@ sub fire_test_notification {
     my($self, $conn, $auth, $args) = @_;
     my $e = new_editor(authtoken => $auth);
     return $e->event unless $e->checkauth;
-    return $e->event unless $$args{home_ou};
-    return $e->die_event unless $e->allowed('OPAC_LOGIN', $$args{home_ou});
+    if ($e->requestor->id != $$args{target}) {
+        my $home_ou = $e->retrieve_actor_user($$args{target})->home_ou;
+        return $e->die_event unless $home_ou && $e->allowed('USER_VIEW', $home_ou);
+    }
 
-    my $event_hook = $$args{event_def_type} or return $e->event;
+    my $event_hook = $$args{hook} or return $e->event;
     my $usr = $e->retrieve_actor_user($$args{target});
 
     return $e->event unless $usr;

diff --git a/Open-ILS/src/templates/opac/myopac/prefs.tt2 b/Open-ILS/src/templates/opac/myopac/prefs.tt2
index f722020..94d93ef 100644 (file)
--- a/Open-ILS/src/templates/opac/myopac/prefs.tt2
+++ b/Open-ILS/src/templates/opac/myopac/prefs.tt2
@@ -101,8 +101,8 @@
                 <td class='light_border'>[% ctx.user.email | html %]</td>
                 <td class='light_border'>
                 [%- IF ctx.user.email %]
-                <a href="#" onclick="sendTestNotification(
-                        [% ctx.user.id %], [% ctx.user.home_ou.id %], 'email', '[% ctx.authtoken %]'
+                <a href="#" onclick="sendTestEmail(
+                        [% ctx.user.id %], '[% ctx.authtoken %]'
                     )"
                     title="[% l('Send Test Email') %]">[% l('Send Test Email') %]</a></td>
                 [%- END %]

diff --git a/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2 b/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2
index a778425..4d31a0d 100644 (file)
--- a/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2
+++ b/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2
@@ -136,8 +136,8 @@
                             <input onchange="record_change(event)" id='[% setting %]' name='[% setting %]' type="text"
                                 [% IF ctx.user_setting_map.$setting; %] value='[% ctx.user_setting_map.$setting | html %]' [% END %]/>
                             [% IF ctx.user_setting_map.$setting; %]
-                            <a href="#" onclick="sendTestNotification(
-                                [% ctx.user.id %], [% ctx.user.home_ou.id %], 'sms_text', '[% ctx.authtoken %]'
+                            <a href="#" onclick="sendTestSMS(
+                            [% ctx.user.id %], '[% ctx.authtoken %]'
                             )"
                             title="[% l('Send Test Text Message') %]">[% l('Send Test Text Message') %]</a><br />
                             [% l('Hint: use the full 10 digits of your phone #, no spaces, no dashes'); %]

diff --git a/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2 b/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2
index 966f9bb..05cd793 100644 (file)
--- a/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2
+++ b/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2
@@ -462,7 +462,7 @@ within the "form" by name for validation.
   [% draw_field_label('au', 'email') %]
   [% draw_form_input('au', 'email', '', 'email') %]
   <div class="col-md-3" ng-if="base_email && !patron.isnew">
-    <button class="btn btn-default" ng-click="send_test_message({test_type:'email'})">[% l('Send Test Email') %]</button>
+    <button class="btn btn-default" ng-click="send_test_email()">[% l('Send Test Email') %]</button>
   </div>
   <div class="col-md-3 patron-reg-example">
     <button ng-show="patron.email && !patron.isnew" 
@@ -787,7 +787,7 @@ within the "form" by name for validation.
       type='text'/>
   </div>
   <div class="col-md-3" ng-if="base_default_sms && !patron.isnew">
-    <button class="btn btn-default" ng-click="send_test_message({test_type:'sms_text'})">[% l('Send Test Text') %]</button>
+    <button class="btn btn-default" ng-click="send_test_sms()">[% l('Send Test Text') %]</button>
   </div>
 </div>
 

diff --git a/Open-ILS/web/js/ui/default/opac/test_notification.js b/Open-ILS/web/js/ui/default/opac/test_notification.js
index 84ea8b4..69d29d3 100644 (file)
--- a/Open-ILS/web/js/ui/default/opac/test_notification.js
+++ b/Open-ILS/web/js/ui/default/opac/test_notification.js
@@ -1,12 +1,18 @@
-function sendTestNotification(user_id, home_ou, event_def_type, authtoken) {
-    var hook = 'au.' + event_def_type + '.test';
-    
+function sendTestEmail(user_id, authtoken) {
+    sendTestNotification(user_id, 'au.email.test', authtoken);
+}
+
+function sendTestSMS(user_id, authtoken) {
+    sendTestNotification(user_id, 'au.sms_text.test', authtoken);
+}
+
+function sendTestNotification(user_id, hook, authtoken) {
+
     var args = {
         target: user_id,
-        home_ou: home_ou,
-        event_def_type: hook
+        hook: hook
     };
-    
+
     new OpenSRF.ClientSession('open-ils.actor').request({
         method: 'open-ils.actor.event.test_notification',
         params: [authtoken, args],

diff --git a/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js b/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js
index e78cda9..78fbce9 100644 (file)
--- a/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js
+++ b/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js
@@ -656,13 +656,12 @@ angular.module('egCoreMod')
         });
     }
 
-    service.send_test_message = function(patron, args) {
-        var hook = 'au.' + args.test_type + '.test';
+    service.send_test_message = function(user_id, hook) {
 
         return egCore.net.request(
             'open-ils.actor',
             'open-ils.actor.event.test_notification',
-            egCore.auth.token(), {event_def_type: hook, target: patron.id, home_ou: patron.home_ou}
+            egCore.auth.token(), {hook: hook, target: user_id}
         ).then(function(res) {
             return res;
         });
@@ -1973,8 +1972,19 @@ function($scope , $routeParams , $q , $uibModal , $window , egCore ,
         });
     }
 
-    $scope.send_test_message = function(args) {
-        patronRegSvc.send_test_message($scope.patron, args).then(function(res) {
+    $scope.send_test_email = function() {
+        patronRegSvc.send_test_message($scope.patron.id, 'au.email.test').then(function(res) {
+            if (res && res.template_output() && res.template_output().is_error() == 'f') {
+                 ngToast.success(egCore.strings.TEST_NOTIFY_SUCCESS);
+            } else {
+                ngToast.warning(egCore.strings.TEST_NOTIFY_FAIL);
+                if (res) console.log(res);
+            }
+        });
+    }
+
+    $scope.send_test_sms = function() {
+        patronRegSvc.send_test_message($scope.patron.id, 'au.sms_text.test').then(function(res) {
             if (res && res.template_output() && res.template_output().is_error() == 'f') {
                  ngToast.success(egCore.strings.TEST_NOTIFY_SUCCESS);
             } else {