From a553e927ee452737a6613116f5f4d02b08dcf1ba Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 2 Dec 2021 09:04:14 +0100 Subject: [PATCH] Bug 29544: Fix opac-issue-note.pl We must check if logged in user is trying to modify one of their checkouts Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Victor Grousset/tuxayo --- opac/opac-issue-note.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/opac/opac-issue-note.pl b/opac/opac-issue-note.pl index 781a532695..84bd0927bc 100755 --- a/opac/opac-issue-note.pl +++ b/opac/opac-issue-note.pl @@ -51,6 +51,14 @@ $template->param( my $issue_id = $query->param('issue_id'); my $issue = Koha::Checkouts->find( $issue_id ); + + +if ( !$issue || $issue->borrowernumber != $borrowernumber ) { + # exit early + print $query->redirect("/cgi-bin/koha/opac-user.pl"); + exit; +} + my $itemnumber = $issue->itemnumber; my $biblio = $issue->item->biblio; $template->param( @@ -62,10 +70,11 @@ $template->param( ); my $action = $query->param('action') || ""; -if ( $action eq 'issuenote' && C4::Context->preference('AllowCheckoutNotes') ) { +if ( $action eq 'issuenote' && C4::Context->preference('AllowCheckoutNotes') && $issue ) { my $note = $query->param('note'); my $scrubber = C4::Scrubber->new(); my $clean_note = $scrubber->scrub($note); + if ( $issue->set({ notedate => dt_from_string(), note => $clean_note, noteseen => 0 })->store ) { if ($clean_note) { # only send email if note not empty my $branch = Koha::Libraries->find( $issue->branchcode ); -- 2.39.5