Koha-community/Koha
13
7
Fork 0
Code Issues Releases Wiki Activity

Bug 37247: Fix subscriptions operation allowed without authentication

Browse source 
Move close and reopen after get_template_and_user().
Also move Koha::Subscriptions->find(), not a good idea to run DB queries
before authentication.

Test plan :
1) Apply patch
2) Authenticate to staff interface
3) Go to an existing open subscription
4) Open a new browser tab and use it to log-out
5) Go to first tab and click on 'Close'
6) You get login page
7) Authenticate
8) Check subscription is not closed
9) Check you can close and reopen subscription

Signed-off-by: Chris Cormack <chris@bigballofwax.co.nz>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
This commit is contained in:
Fridolin Somers 2024-07-04 16:18:17 +02:00 committed by Katrin Fischer
parent a4fef6b201
commit e3a0ad463b
Signed by: kfischer
GPG key ID: 0EF6E2C03357A834
1 changed files with 11 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
serials/subscription-detail.pl
View file

@ -34,17 +34,10 @@ use Carp qw( carp );
use Koha::SharedContent;
my $query = CGI->new;
my $op = $query->param('op') || q{};
my $issueconfirmed = $query->param('issueconfirmed');
my $dbh = C4::Context->dbh;
my $subscriptionid = $query->param('subscriptionid');
my $subscription = Koha::Subscriptions->find( $subscriptionid );
if ( $op and $op eq "cud-close" ) {
C4::Serials::CloseSubscription( $subscriptionid );
} elsif ( $op and $op eq "cud-reopen" ) {
C4::Serials::ReopenSubscription( $subscriptionid );
}
my $op = $query->param('op') || q{};
my $issueconfirmed = $query->param('issueconfirmed');
my $subscriptionid = $query->param('subscriptionid');
# the subscription must be deletable if there is NO issues for a reason or another (should not happened, but...)
@ -69,7 +62,13 @@ $subs->{enddate} ||= GetExpirationDate($subscriptionid);
my ($totalissues,@serialslist) = GetSerials($subscriptionid);
$totalissues-- if $totalissues; # the -1 is to have 0 if this is a new subscription (only 1 issue)
if ($op eq 'cud-del') {
my $subscription = Koha::Subscriptions->find( $subscriptionid );
if ( $op eq "cud-close" ) {
C4::Serials::CloseSubscription( $subscriptionid );
} elsif ( $op eq "cud-reopen" ) {
C4::Serials::ReopenSubscription( $subscriptionid );
} elsif ( $op eq "cud-del" ) {
if ($$subs{'cannotedit'}){
carp "Attempt to delete subscription $subscriptionid by ".C4::Context->userenv->{'id'}." not allowed";
print $query->redirect("/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=$subscriptionid");
@ -94,8 +93,7 @@ if ($op eq 'cud-del') {
print $query->redirect("/cgi-bin/koha/serials/serials-home.pl");
exit;
}
}
elsif ( $op and $op eq "share" ) {
} elsif ( $op eq "share" ) {
my $mana_language = $query->param('mana_language');
my $result = Koha::SharedContent::send_entity($mana_language, $loggedinuser, $subscriptionid, 'subscription');
$template->param( mana_code => $result->{msg} );