Bug 19086 XSS in members/member.pl

[koha.git] / svc / members / search

#!/usr/bin/perl

# Copyright 2013 BibLibre
#
# This file is part of Koha
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.

use Modern::Perl;
use CGI;

use C4::Auth qw( get_template_and_user haspermission get_user_subpermissions );
use C4::Output qw( output_with_http_headers );
use C4::Utils::DataTables qw( dt_get_params );
use C4::Utils::DataTables::Members qw( search );
use Koha::DateUtils qw( output_pref dt_from_string );

my $input = new CGI;

exit unless $input->param('template_path');

my ($template, $user, $cookie) = get_template_and_user({
    template_name   => scalar $input->param('template_path'),
    query           => $input,
    type            => "intranet",
    authnotrequired => 0,
    flagsrequired   => { borrowers => 1 }
});

my $searchmember = $input->param('searchmember');
my $firstletter  = $input->param('firstletter');
my $categorycode = $input->param('categorycode');
my $branchcode = $input->param('branchcode');
my $searchtype = $input->param('searchtype');
my $searchfieldstype = $input->param('searchfieldstype') || 'standard';
my $has_permission = $input->param('has_permission');
my $selection_type = $input->param('selection_type');

# variable information for DataTables (id)
my $sEcho = $input->param('sEcho');

my %dt_params = dt_get_params($input);
foreach (grep {$_ =~ /^mDataProp/} keys %dt_params) {
    $dt_params{$_} =~ s/^dt_//;
}

my $results;
# If the user filled a term, maybe it's a cardnumber.
# This cannot be the case if a first letter is given.
if ( $searchmember
    and not $firstletter
    and $searchfieldstype
    and $searchfieldstype eq 'standard' )
{
    my $member = C4::Members::GetMember( cardnumber => $searchmember );
    $results = {
        iTotalRecords        => 1,
        iTotalDisplayRecords => 1,
        patrons              => [ $member ],
    } if $member;
}

# Perform the patrons search
$results = C4::Utils::DataTables::Members::search(
    {
        searchmember => $searchmember,
        firstletter => $firstletter,
        categorycode => $categorycode,
        branchcode => $branchcode,
        searchtype => $searchtype,
        searchfieldstype => $searchfieldstype,
        dt_params => \%dt_params,
    }
) unless $results;

# It is not recommanded to use the has_permission param if you use the pagination
# The filter is done AFTER requested the data
if ($has_permission) {
    my ( $permission, $subpermission ) = split /\./, $has_permission;
    my @patrons_with_permission;
    for my $patron ( @{ $results->{patrons} } ) {
        my $perms = haspermission( $patron->{userid} );
        if (   $perms->{superlibrarian} == 1
            or $perms->{$permission} == 1 )
        {
            push @patrons_with_permission, $patron;
            next;
        }

        if ($subpermission) {
            my $subperms = get_user_subpermissions( $patron->{userid} );
            push @patrons_with_permission, $patron
              if $subperms->{$permission}->{$subpermission};
        }
    }
    $results->{patrons} = \@patrons_with_permission;
    $results->{iTotalDisplayRecords} = scalar( @patrons_with_permission );
}

$template->param(
    sEcho => $sEcho,
    iTotalRecords => $results->{iTotalRecords},
    iTotalDisplayRecords => $results->{iTotalDisplayRecords},
    aaData => $results->{patrons},
    selection_type => $selection_type,
);

output_with_http_headers $input, $cookie, $template->output, 'json';

__END__

=head1 NAME

search - a search script for finding patrons

=head1 SYNOPSIS

This script provides a service for template for patron search using DataTables

=head2 Performing a search

Call this script from a DataTables table my $searchmember = $input->param('searchmember');
All following params are optional:
    searchmember => the search terms
    firstletter => search patrons with surname begins with this pattern (currently only used for 1 letter)
    categorycode and branchcode => search patrons belong to a given categorycode or a branchcode
    searchtype: can be 'contain' or 'start_with'
    searchfieldstype: Can be 'standard', 'email', 'borrowernumber', 'userid', 'phone' or 'address'

=cut

=back

=head1 LICENSE

Copyright 2013 BibLibre

This file is part of Koha.

Koha is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 2 of the License, or (at your option) any later
version.

Koha is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along
with Koha; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.