[Patches] [PATCH] Bug 3280 Restrict Send basket feature
koha-patchbot at kohaaloha.com
koha-patchbot at kohaaloha.com
Mon Dec 5 22:25:03 NZDT 2011
From: =?UTF-8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= <semarie-koha at latrappe.fr>
Date: Mon, 5 Dec 2011 10:11:46 +0100
Subject: [PATCH] Bug 3280 Restrict Send basket feature
In order to prevent spamming using sendbasket.pl, some counter-measure are done:
- permit send basket only for authenticated user
- permit send basket only if basket contains items
- use username & email for 'To' field (with fallback to KohaAdminEmailAddress)
- add field X-Orig-IP with IP of sender
- add field X-Abuse-Report with KohaAdminEmailAddress
---
opac/opac-sendbasket.pl | 25 +++++++++++++++----------
1 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index df1b4c5..50e0b8e 100755
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -39,7 +39,7 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user (
template_name => "opac-sendbasketform.tmpl",
query => $query,
type => "opac",
- authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
+ authnotrequired => 0,
flagsrequired => { borrow => 1 },
}
);
@@ -51,11 +51,17 @@ my $email_sender = $query->param('email_sender');
my $dbh = C4::Context->dbh;
if ( $email_add ) {
- my $email_from = C4::Context->preference('KohaAdminEmailAddress');
+ my $user = GetMember(borrowernumber => $borrowernumber);
+ my $user_email = GetFirstValidEmailAddress($borrowernumber)
+ || C4::Context->preference('KohaAdminEmailAddress');
+
+ my $email_from = "$user->{firstname} $user->{surname} <$user_email>";
my $comment = $query->param('comment');
my %mail = (
To => $email_add,
- From => $email_from
+ From => $email_from,
+ 'X-Orig-IP' => $ENV{'REMOTE_ADDR'},
+ 'X-Abuse-Report' => C4::Context->preference('KohaAdminEmailAddress'),
);
my ( $template2, $borrowernumber, $cookie ) = get_template_and_user(
@@ -63,7 +69,7 @@ if ( $email_add ) {
template_name => "opac-sendbasket.tmpl",
query => $query,
type => "opac",
- authnotrequired => 1,
+ authnotrequired => 0,
flagsrequired => { borrow => 1 },
}
);
@@ -103,8 +109,6 @@ if ( $email_add ) {
my $resultsarray = \@results;
- my $user = GetMember(borrowernumber => $borrowernumber);
-
$template2->param(
BIBLIO_RESULTS => $resultsarray,
email_sender => $email_sender,
@@ -164,14 +168,15 @@ $isofile
$boundary--
END_OF_BODY
- # Sending mail
- if ( sendmail %mail ) {
- # do something if it works....
+ # Sending mail (if not empty basket)
+ if ( defined($iso2709) && sendmail %mail ) {
+ # do something if it works....
$template->param( SENT => "1" );
}
else {
# do something if it doesnt work....
- carp "Error sending mail: $Mail::Sendmail::error \n";
+ carp "Error sending mail: empty basket" if !defined($iso2709);
+ carp "Error sending mail: $Mail::Sendmail::error" if $Mail::Sendmail::error;
$template->param( error => 1 );
}
$template->param( email_add => $email_add );
--
1.7.2.5
More information about the Patches
mailing list