Bug 25898: Prohibit indirect object notation

[koha.git] / svc / cover_images

#!/usr/bin/perl

# This file is part of Koha.
#
# Copyright 2013 Universidad Nacional de Cordoba
#                Tomas Cohen Arazi
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.

use Modern::Perl;

use CGI qw ( -utf8 );
use C4::Auth qw/check_cookie_auth/;
use Koha::CoverImages;
use JSON qw/to_json/;

my $input = CGI->new;

my ( $auth_status, $sessionID ) =
        check_cookie_auth(
            $input->cookie('CGISESSID'),
            { tools => 'upload_local_cover_images' } );

if ( $auth_status ne "ok" ) {
    exit 0;
}

my $action       = $input->param('action');
my @imagenumbers = $input->param('imagenumber');

# Array to store the reponse JSON
my $response = [];

if ( $action eq "delete" ) {

    foreach my $imagenumber ( @imagenumbers ) {
        eval {
            Koha::CoverImages->find($imagenumber)->delete;
        };
        if ( $@ ) {
            push @$response, {
                imagenumber => $imagenumber,
                deleted => 0,
                error => "MSG_INVALID_IMAGENUMBER"
            };
        } else {
            push @$response, {
                imagenumber => $imagenumber,
                deleted => 1
            };
        }
    }
} else {
    # invalid action
    exit 0;
}

binmode STDOUT, ":encoding(UTF-8)";
print $input->header(
    -type => 'application/json',
    -charset => 'UTF-8'
);

print to_json( $response );