[Patches] [PATCH] Bug 3280 Restrict Send basket feature

koha-patchbot at kohaaloha.com koha-patchbot at kohaaloha.com
Mon Dec 5 22:25:03 NZDT 2011


From: =?UTF-8?q?Fr=C3=A8re=20S=C3=A9bastien=20Marie?= <semarie-koha at latrappe.fr>
Date: Mon, 5 Dec 2011 10:11:46 +0100
Subject: [PATCH] Bug 3280 Restrict Send basket feature

In order to prevent spamming using sendbasket.pl, some counter-measure are done:
 - permit send basket only for authenticated user
 - permit send basket only if basket contains items
 - use username & email for 'To' field (with fallback to KohaAdminEmailAddress)
 - add field X-Orig-IP with IP of sender
 - add field X-Abuse-Report with KohaAdminEmailAddress
---
 opac/opac-sendbasket.pl |   25 +++++++++++++++----------
 1 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/opac/opac-sendbasket.pl b/opac/opac-sendbasket.pl
index df1b4c5..50e0b8e 100755
--- a/opac/opac-sendbasket.pl
+++ b/opac/opac-sendbasket.pl
@@ -39,7 +39,7 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user (
         template_name   => "opac-sendbasketform.tmpl",
         query           => $query,
         type            => "opac",
-        authnotrequired => ( C4::Context->preference("OpacPublic") ? 1 : 0 ),
+        authnotrequired => 0,
         flagsrequired   => { borrow => 1 },
     }
 );
@@ -51,11 +51,17 @@ my $email_sender = $query->param('email_sender');
 my $dbh          = C4::Context->dbh;
 
 if ( $email_add ) {
-    my $email_from = C4::Context->preference('KohaAdminEmailAddress');
+    my $user = GetMember(borrowernumber => $borrowernumber);
+    my $user_email = GetFirstValidEmailAddress($borrowernumber)
+	|| C4::Context->preference('KohaAdminEmailAddress');
+    
+    my $email_from = "$user->{firstname} $user->{surname} <$user_email>";
     my $comment    = $query->param('comment');
     my %mail = (
         To   => $email_add,
-        From => $email_from
+        From => $email_from,
+	'X-Orig-IP' => $ENV{'REMOTE_ADDR'},
+	'X-Abuse-Report' => C4::Context->preference('KohaAdminEmailAddress'),
     );
 
     my ( $template2, $borrowernumber, $cookie ) = get_template_and_user(
@@ -63,7 +69,7 @@ if ( $email_add ) {
             template_name   => "opac-sendbasket.tmpl",
             query           => $query,
             type            => "opac",
-            authnotrequired => 1,
+            authnotrequired => 0,
             flagsrequired   => { borrow => 1 },
         }
     );
@@ -103,8 +109,6 @@ if ( $email_add ) {
 
     my $resultsarray = \@results;
     
-    my $user = GetMember(borrowernumber => $borrowernumber); 
-    
     $template2->param(
         BIBLIO_RESULTS => $resultsarray,
         email_sender   => $email_sender,
@@ -164,14 +168,15 @@ $isofile
 $boundary--
 END_OF_BODY
 
-    # Sending mail
-    if ( sendmail %mail ) {
-        # do something if it works....
+    # Sending mail (if not empty basket)
+    if ( defined($iso2709) && sendmail %mail ) {
+	# do something if it works....
         $template->param( SENT      => "1" );
     }
     else {
         # do something if it doesnt work....
-        carp "Error sending mail: $Mail::Sendmail::error \n";
+	carp "Error sending mail: empty basket" if !defined($iso2709);
+        carp "Error sending mail: $Mail::Sendmail::error" if $Mail::Sendmail::error;
         $template->param( error => 1 );
     }
     $template->param( email_add => $email_add );
-- 
1.7.2.5




More information about the Patches mailing list