Bug 18349: SCO - Do not trust the confirmed flag

The "confirmed" flag is used to know if that user confirmed a situation that needs a confirmation. But if the issue/renew is impossible the CanBookBeIssued and the 'impossible flags' should be checked. Otherwise a patron can checkout and renew bypassing the circulation rules (Understand 'no limit' here...) Test plan: Want to renew? Checkin $barcode, then /cgi-bin/koha/sco/sco-main.pl?patronid=$cardnumber&barcode=$barcode&confirmed=1&op=checkout Want to bypass the checkin? Same url... Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-03-29 18:25:40 -03:00 · 2017-03-29 18:25:40 -03:00 · 85bd15a83f
commit 85bd15a83f
parent 2471dab71d
1 changed files with 7 additions and 9 deletions
--- a/opac/sco/sco-main.pl
+++ b/opac/sco/sco-main.pl
@ -137,15 +137,13 @@ elsif ( $op eq "returnbook" && $allowselfcheckreturns ) {
 elsif ( $op eq "checkout" ) {
    my $impossible  = {};
    my $needconfirm = {};
-    if ( !$confirmed ) {
-        ( $impossible, $needconfirm ) = CanBookBeIssued(
-            $borrower,
-            $barcode,
-            undef,
-            0,
-            C4::Context->preference("AllowItemsOnHoldCheckoutSCO")
-        );
-    }
+    ( $impossible, $needconfirm ) = CanBookBeIssued(
+        $borrower,
+        $barcode,
+        undef,
+        0,
+        C4::Context->preference("AllowItemsOnHoldCheckoutSCO")
+    );
    $confirm_required = scalar keys %$needconfirm;

    #warn "confirm_required: " . $confirm_required ;