From: Kyle Huckins Date: Mon, 14 Jan 2019 22:22:40 +0000 (+0000) Subject: lp1777677 Security tweaks X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=61e9cf88540fe9598b658a715c637578412b39f3;p=working%2FEvergreen.git lp1777677 Security tweaks - Refactor test notification API to check if requestor is user,and if not, then check if requestor has permissions to view users at target user's home ou. - Change event_def_type references to "hook" - Separate out sendTestEmail and sendTestSMS functions in frontend to prevent potential misuse of functionality. Signed-off-by: Kyle Huckins Signed-off-by: Terran McCanna Signed-off-by: Chris Sharp Signed-off-by: Galen Charlton --- diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm index 35abb96dab..e0497b6a7b 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm @@ -4362,10 +4362,12 @@ sub fire_test_notification { my($self, $conn, $auth, $args) = @_; my $e = new_editor(authtoken => $auth); return $e->event unless $e->checkauth; - return $e->event unless $$args{home_ou}; - return $e->die_event unless $e->allowed('OPAC_LOGIN', $$args{home_ou}); + if ($e->requestor->id != $$args{target}) { + my $home_ou = $e->retrieve_actor_user($$args{target})->home_ou; + return $e->die_event unless $home_ou && $e->allowed('USER_VIEW', $home_ou); + } - my $event_hook = $$args{event_def_type} or return $e->event; + my $event_hook = $$args{hook} or return $e->event; my $usr = $e->retrieve_actor_user($$args{target}); return $e->event unless $usr; diff --git a/Open-ILS/src/templates/opac/myopac/prefs.tt2 b/Open-ILS/src/templates/opac/myopac/prefs.tt2 index f722020c3c..94d93efaeb 100644 --- a/Open-ILS/src/templates/opac/myopac/prefs.tt2 +++ b/Open-ILS/src/templates/opac/myopac/prefs.tt2 @@ -101,8 +101,8 @@ [% ctx.user.email | html %] [%- IF ctx.user.email %] - [% l('Send Test Email') %] [%- END %] diff --git a/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2 b/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2 index a7784256be..4d31a0d388 100644 --- a/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2 +++ b/Open-ILS/src/templates/opac/myopac/prefs_notify.tt2 @@ -136,8 +136,8 @@ [% IF ctx.user_setting_map.$setting; %] - [% l('Send Test Text Message') %]
[% l('Hint: use the full 10 digits of your phone #, no spaces, no dashes'); %] diff --git a/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2 b/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2 index 966f9bbf20..05cd793840 100644 --- a/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2 +++ b/Open-ILS/src/templates/staff/circ/patron/t_edit.tt2 @@ -462,7 +462,7 @@ within the "form" by name for validation. [% draw_field_label('au', 'email') %] [% draw_form_input('au', 'email', '', 'email') %]
- +
- +
diff --git a/Open-ILS/web/js/ui/default/opac/test_notification.js b/Open-ILS/web/js/ui/default/opac/test_notification.js index 84ea8b4ccb..69d29d395f 100644 --- a/Open-ILS/web/js/ui/default/opac/test_notification.js +++ b/Open-ILS/web/js/ui/default/opac/test_notification.js @@ -1,12 +1,18 @@ -function sendTestNotification(user_id, home_ou, event_def_type, authtoken) { - var hook = 'au.' + event_def_type + '.test'; - +function sendTestEmail(user_id, authtoken) { + sendTestNotification(user_id, 'au.email.test', authtoken); +} + +function sendTestSMS(user_id, authtoken) { + sendTestNotification(user_id, 'au.sms_text.test', authtoken); +} + +function sendTestNotification(user_id, hook, authtoken) { + var args = { target: user_id, - home_ou: home_ou, - event_def_type: hook + hook: hook }; - + new OpenSRF.ClientSession('open-ils.actor').request({ method: 'open-ils.actor.event.test_notification', params: [authtoken, args], diff --git a/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js b/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js index e78cda9d8a..78fbce9c3d 100644 --- a/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js +++ b/Open-ILS/web/js/ui/default/staff/circ/patron/regctl.js @@ -656,13 +656,12 @@ angular.module('egCoreMod') }); } - service.send_test_message = function(patron, args) { - var hook = 'au.' + args.test_type + '.test'; + service.send_test_message = function(user_id, hook) { return egCore.net.request( 'open-ils.actor', 'open-ils.actor.event.test_notification', - egCore.auth.token(), {event_def_type: hook, target: patron.id, home_ou: patron.home_ou} + egCore.auth.token(), {hook: hook, target: user_id} ).then(function(res) { return res; }); @@ -1973,8 +1972,19 @@ function($scope , $routeParams , $q , $uibModal , $window , egCore , }); } - $scope.send_test_message = function(args) { - patronRegSvc.send_test_message($scope.patron, args).then(function(res) { + $scope.send_test_email = function() { + patronRegSvc.send_test_message($scope.patron.id, 'au.email.test').then(function(res) { + if (res && res.template_output() && res.template_output().is_error() == 'f') { + ngToast.success(egCore.strings.TEST_NOTIFY_SUCCESS); + } else { + ngToast.warning(egCore.strings.TEST_NOTIFY_FAIL); + if (res) console.log(res); + } + }); + } + + $scope.send_test_sms = function() { + patronRegSvc.send_test_message($scope.patron.id, 'au.sms_text.test').then(function(res) { if (res && res.template_output() && res.template_output().is_error() == 'f') { ngToast.success(egCore.strings.TEST_NOTIFY_SUCCESS); } else {