Bug 28935: No filtering on patron's data on member entry pages

Security patch. Follow-up for 28929. Including correction for gonenoaddress and two others. Includes unwanted fields too now. Signed-off-by: Owen Leonard <oleonard@myacpl.org> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2 years ago · 5f37d8d2f4
2 changed files with 7 additions and 3 deletions
--- a/members/memberentry.pl
+++ b/members/memberentry.pl
@ -215,7 +215,7 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' )
 # remove keys from %newdata that is not part of patron's attributes
 {
    my @keys_to_delete = (
-        qr/^flags$/,
+        qr/^(borrowernumber|date_renewed|debarred|debarredcomment|flags|privacy|privacy_guarantor_fines|privacy_guarantor_checkouts|checkprevcheckout|updated_on|lastseen|lang|login_attempts|overdrive_auth_token|anonymized)$/, # Bug 28935
        qr/^BorrowerMandatoryField$/,
        qr/^category_type$/,
        qr/^check_member$/,
@ -242,6 +242,7 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' )
        qr/^guarantor_surname$/,
        qr/^delete_guarantor$/,
    );
+    push @keys_to_delete, map { qr/^$_$/ } split( /\s*\|\s*/, C4::Context->preference('PatronSelfRegistrationBorrowerUnwantedField') || q{} );
    for my $regexp (@keys_to_delete) {
        for (keys %newdata) {
            delete($newdata{$_}) if /$regexp/;
@ -323,7 +324,7 @@ if ($op eq 'save' || $op eq 'insert'){
    # If the cardnumber is blank, treat it as null.
    $newdata{'cardnumber'} = undef if $newdata{'cardnumber'} =~ /^\s*$/;

-    if (my $error_code = checkcardnumber($newdata{cardnumber},$newdata{borrowernumber})){
+    if (my $error_code = checkcardnumber( $newdata{cardnumber}, $borrowernumber )){
        push @errors, $error_code == 1
            ? 'ERROR_cardnumber_already_exists'
            : $error_code == 2
--- a/opac/opac-memberentry.pl
+++ b/opac/opac-memberentry.pl
@ -522,7 +522,10 @@ sub ParseCgiForBorrower {
    # Replace checkbox 'agreed' by datetime in gdpr_proc_consent
    $borrower{gdpr_proc_consent} = dt_from_string if  $borrower{gdpr_proc_consent} && $borrower{gdpr_proc_consent} eq 'agreed';

-    delete $borrower{flags};
+    delete $borrower{$_} for qw/borrowernumber date_renewed debarred debarredcomment flags privacy privacy_guarantor_fines privacy_guarantor_checkouts checkprevcheckout updated_on lastseen lang login_attempts overdrive_auth_token anonymized/; # See also members/memberentry.pl
+    delete $borrower{$_} for qw/dateenrolled dateexpiry borrowernotes opacnote sort1 sort2 sms_provider_id autorenew_checkouts gonenoaddress lost relationship/; # On OPAC only
+    delete $borrower{$_} for split( /\s*\|\s*/, C4::Context->preference('PatronSelfRegistrationBorrowerUnwantedField') || q{} );
+
    return %borrower;
 }