opac-article-request-cancel.pl doesn't check that the article request to
be cancelled actually belongs to the logged-in borrower. This results in
any logged-in user being able to cancel any article request just by
changing the id in the URL.
Test plan:
- Login with Patron P1, create an article request
- Cancel it
- Create another one
- Copy the cancellation link (must be /cgi-bin/koha/opac-article-request-cancel.pl?id=X)
- Login with Patron P2
- Hit the cancellation link
=> Without this patch the article request is cancelled
=> With this patch applied there is a 404 redirection
Note that the 404 will also appears when the article request id does not
exist.
Signed-off-by: Ere Maijala <ere.maijala@helsinki.fi>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jennifer Schmidt <jschmidt@switchinc.org>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>