From 214e87d886faaf7abf64c1dc83d3b590d6adc8dc Mon Sep 17 00:00:00 2001
From: Rafal Kopaczka <rkk0@poczta.onet.pl>
Date: Thu, 4 Sep 2014 16:40:33 +0200
Subject: [PATCH] Bug 12873 - Reserve can be cancelled by any logged in user

It is possible to cancel reservations through simply running opac-modreserve.pl with existing reserve_id number. This may provide remove even all reservations from system. The only limitation is that user have to be logged in. Simplest solution is to check whether reserve belongs to user or not.

Test plan:
1. Create reserves by 2 different users, and get their ID's
2. Before patch, hold may by cancelled by anyone who run site:
http://example.com/cgi-bin/koha/opac-modrequest.pl?reserve_id=XXX
3. After patch hold may by cancelled only by user whose reserve is.

Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
(cherry picked from commit 60875757c761a9ad59734e968cf34a831c65e9a6)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 opac/opac-modrequest.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/opac/opac-modrequest.pl b/opac/opac-modrequest.pl
index 7ec11eb789..2f63df02ca 100755
--- a/opac/opac-modrequest.pl
+++ b/opac/opac-modrequest.pl
@@ -45,7 +45,9 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
 my $reserve_id = $query->param('reserve_id');
 
 if ($reserve_id && $borrowernumber) {
-  CancelReserve({ reserve_id => $reserve_id });
+
+    my $reserve = GetReserve($reserve_id);
+    CancelReserve({ reserve_id => $reserve_id }) if $borrowernumber == $reserve->{borrowernumber} ;
 }
 
 print $query->redirect("/cgi-bin/koha/opac-user.pl#opac-user-holds");
-- 
2.39.5