Bug 17900: Fix possible SQL injection in patron cards template editing
[koha.git] / admin / itemtypes.pl
blobc8c224e7037f6ea31ede2a61a51937cae80b2c8c
1 #!/usr/bin/perl
3 # Copyright 2000-2002 Katipo Communications
4 # Copyright 2002 Paul Poulain
6 # This file is part of Koha.
8 # Koha is free software; you can redistribute it and/or modify it
9 # under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 3 of the License, or
11 # (at your option) any later version.
13 # Koha is distributed in the hope that it will be useful, but
14 # WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # You should have received a copy of the GNU General Public License
19 # along with Koha; if not, see <http://www.gnu.org/licenses>.
21 =head1 admin/itemtypes.pl
23 =cut
25 use Modern::Perl;
26 use CGI qw ( -utf8 );
28 use File::Spec;
30 use C4::Koha;
31 use C4::Context;
32 use C4::Auth;
33 use C4::Output;
35 use Koha::ItemTypes;
36 use Koha::Localizations;
38 my $input = new CGI;
39 my $searchfield = $input->param('description');
40 my $itemtype_code = $input->param('itemtype');
41 my $op = $input->param('op') // 'list';
42 my @messages;
43 $searchfield =~ s/\,//g if $searchfield;
44 my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
45 { template_name => "admin/itemtypes.tt",
46 query => $input,
47 type => "intranet",
48 authnotrequired => 0,
49 flagsrequired => { parameters => 'parameters_remaining_permissions' },
50 debug => 1,
54 my $dbh = C4::Context->dbh;
56 my $sip_media_type = $input->param('sip_media_type');
57 undef($sip_media_type) if defined($sip_media_type) and $sip_media_type =~ /^\s*$/;
59 if ( $op eq 'add_form' ) {
60 my $itemtype = Koha::ItemTypes->find($itemtype_code);
61 my $imagesets = C4::Koha::getImageSets( checked => ( $itemtype ? $itemtype->imageurl : undef ) );
62 my $searchcategory = GetAuthorisedValues("ITEMTYPECAT");
63 my $translated_languages = C4::Languages::getTranslatedLanguages( undef , C4::Context->preference('template') );
64 $template->param(
65 itemtype => $itemtype,
66 imagesets => $imagesets,
67 searchcategory => $searchcategory,
68 can_be_translated => ( scalar(@$translated_languages) > 1 ? 1 : 0 ),
70 } elsif ( $op eq 'add_validate' ) {
71 my $is_a_modif = $input->param('is_a_modif');
72 my $itemtype = Koha::ItemTypes->find($itemtype_code);
73 my $description = $input->param('description');
74 my $rentalcharge = $input->param('rentalcharge');
75 my $image = $input->param('image') || q||;
77 my $notforloan = $input->param('notforloan') ? 1 : 0;
78 my $imageurl =
79 $image eq 'removeImage' ? ''
80 : (
81 $image eq 'remoteImage' ? $input->param('remoteImage')
82 : $image
84 my $summary = $input->param('summary');
85 my $checkinmsg = $input->param('checkinmsg');
86 my $checkinmsgtype = $input->param('checkinmsgtype');
87 my $hideinopac = $input->param('hideinopac') // 0;
88 my $searchcategory = $input->param('searchcategory');
90 if ( $itemtype and $is_a_modif ) { # it's a modification
91 $itemtype->description($description);
92 $itemtype->rentalcharge($rentalcharge);
93 $itemtype->notforloan($notforloan);
94 $itemtype->imageurl($imageurl);
95 $itemtype->summary($summary);
96 $itemtype->checkinmsg($checkinmsg);
97 $itemtype->checkinmsgtype($checkinmsgtype);
98 $itemtype->sip_media_type($sip_media_type);
99 $itemtype->hideinopac($hideinopac);
100 $itemtype->searchcategory($searchcategory);
102 eval { $itemtype->store; };
104 if ($@) {
105 push @messages, { type => 'error', code => 'error_on_update' };
106 } else {
107 push @messages, { type => 'message', code => 'success_on_update' };
109 } elsif ( not $itemtype and not $is_a_modif ) {
110 my $itemtype = Koha::ItemType->new(
111 { itemtype => $itemtype_code,
112 description => $description,
113 rentalcharge => $rentalcharge,
114 notforloan => $notforloan,
115 imageurl => $imageurl,
116 summary => $summary,
117 checkinmsg => $checkinmsg,
118 checkinmsgtype => $checkinmsgtype,
119 sip_media_type => $sip_media_type,
120 hideinopac => $hideinopac,
121 searchcategory => $searchcategory,
124 eval { $itemtype->store; };
126 if ($@) {
127 push @messages, { type => 'error', code => 'error_on_insert' };
128 } else {
129 push @messages, { type => 'message', code => 'success_on_insert' };
131 } else {
132 push @messages,
133 { type => 'error',
134 code => 'already_exists',
138 $searchfield = '';
139 $op = 'list';
140 } elsif ( $op eq 'delete_confirm' ) {
142 # Check both items and biblioitems
143 my ($total) = $dbh->selectrow_array( '
144 SELECT COUNT(*) AS total FROM (
145 SELECT itemtype AS t FROM biblioitems
146 UNION ALL
147 SELECT itype AS t FROM items
148 ) AS tmp
149 WHERE tmp.t=?
150 ', {}, $itemtype_code );
152 if ($total) {
153 push @messages, { type => 'error', code => 'cannot_be_deleted', total => $total };
154 $op = 'list';
155 } else {
156 my $itemtype = Koha::ItemTypes->find($itemtype_code);
157 $template->param( itemtype => $itemtype, );
160 } elsif ( $op eq 'delete_confirmed' ) {
161 my $itemtype = Koha::ItemTypes->find($itemtype_code);
162 my $deleted = eval { $itemtype->delete };
163 if ( $@ or not $deleted ) {
164 push @messages, { type => 'error', code => 'error_on_delete' };
165 } else {
166 push @messages, { type => 'message', code => 'success_on_delete' };
169 $op = 'list';
172 if ( $op eq 'list' ) {
173 my $itemtypes = Koha::ItemTypes->search;
174 $template->param(
175 itemtypes => $itemtypes,
176 messages => \@messages,
180 $template->param( op => $op );
182 output_html_with_http_headers $input, $cookie, $template->output;