Bug 33702: Prevent ILL requests to be modified by somebody else
Same as previous patch, but for 'update' and 'cancreq'. We remove the redirect, but here we only want to focus on the security fix. Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> Confirmed. Without this patch a patron can modify and cancel any ILL request in the OPAC. With this patch the patron is redirected to the 404 page if modification or cancellation is attempted. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This commit is contained in:
parent
a824b400e0
commit
f32c107197
1 changed files with 22 additions and 32 deletions
|
@ -59,56 +59,46 @@ $template->param( backends_available => $backends_available );
|
|||
|
||||
my $op = $params->{'method'} || 'list';
|
||||
|
||||
if ( $op eq 'list' ) {
|
||||
|
||||
my $requests = Koha::Illrequests->search(
|
||||
{ borrowernumber => $loggedinuser }
|
||||
);
|
||||
my $req = Koha::Illrequest->new;
|
||||
$template->param(
|
||||
requests => $requests,
|
||||
backends => $backends
|
||||
);
|
||||
|
||||
} elsif ( $op eq 'view') {
|
||||
my $request = Koha::Illrequests->find({
|
||||
borrowernumber => $loggedinuser,
|
||||
illrequest_id => $params->{illrequest_id}
|
||||
});
|
||||
my ( $illrequest_id, $request );
|
||||
if ( $illrequest_id = $params->{illrequest_id} ) {
|
||||
$request = Koha::Illrequests->find($illrequest_id);
|
||||
# Make sure the request belongs to the logged in user
|
||||
unless ( $request->borrowernumber == $loggedinuser ) {
|
||||
print $query->redirect("/cgi-bin/koha/errors/404.pl");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
if ( $op eq 'list' ) {
|
||||
|
||||
my $requests = Koha::Illrequests->search(
|
||||
{ borrowernumber => $loggedinuser }
|
||||
);
|
||||
$template->param(
|
||||
requests => $requests,
|
||||
backends => $backends
|
||||
);
|
||||
|
||||
} elsif ( $op eq 'view') {
|
||||
$template->param(
|
||||
request => $request
|
||||
);
|
||||
|
||||
} elsif ( $op eq 'update') {
|
||||
my $request = Koha::Illrequests->find({
|
||||
borrowernumber => $loggedinuser,
|
||||
illrequest_id => $params->{illrequest_id}
|
||||
});
|
||||
$request->notesopac($params->{notesopac})->store;
|
||||
# Send a notice to staff alerting them of the update
|
||||
$request->send_staff_notice('ILL_REQUEST_MODIFIED');
|
||||
print $query->redirect(
|
||||
'/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id=' .
|
||||
$params->{illrequest_id} .
|
||||
'&message=1'
|
||||
);
|
||||
'/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id='
|
||||
. $illrequest_id
|
||||
. '&message=1' );
|
||||
exit;
|
||||
} elsif ( $op eq 'cancreq') {
|
||||
my $request = Koha::Illrequests->find({
|
||||
borrowernumber => $loggedinuser,
|
||||
illrequest_id => $params->{illrequest_id}
|
||||
});
|
||||
$request->status('CANCREQ')->store;
|
||||
print $query->redirect(
|
||||
'/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id=' .
|
||||
$params->{illrequest_id} .
|
||||
'&message=1'
|
||||
);
|
||||
'/cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id='
|
||||
. $illrequest_id
|
||||
. '&message=1' );
|
||||
exit;
|
||||
} elsif ( $op eq 'create' ) {
|
||||
if (!$params->{backend}) {
|
||||
|
|
Loading…
Reference in a new issue