From c4495539357d453200f3c86ef4f8bf247371407d Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 2 Dec 2021 09:04:14 +0100 Subject: [PATCH] Bug 29544: Fix opac-issue-note.pl We must check if logged in user is trying to modify one of their checkouts Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Victor Grousset/tuxayo (cherry picked from commit b8b4328ffddfbb03a4a9f0647bd0df6a79c4badd) Signed-off-by: Wainui Witika-Park --- opac/opac-issue-note.pl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/opac/opac-issue-note.pl b/opac/opac-issue-note.pl index a601fef9ff..f8e9463f8e 100755 --- a/opac/opac-issue-note.pl +++ b/opac/opac-issue-note.pl @@ -51,6 +51,14 @@ $template->param( my $issue_id = $query->param('issue_id'); my $issue = Koha::Checkouts->find( $issue_id ); + + +if ( !$issue || $issue->borrowernumber != $borrowernumber ) { + # exit early + print $query->redirect("/cgi-bin/koha/opac-user.pl"); + exit; +} + my $itemnumber = $issue->itemnumber; my $biblio = $issue->item->biblio; $template->param( @@ -62,10 +70,11 @@ $template->param( ); my $action = $query->param('action') || ""; -if ( $action eq 'issuenote' && C4::Context->preference('AllowCheckoutNotes') ) { +if ( $action eq 'issuenote' && C4::Context->preference('AllowCheckoutNotes') && $issue ) { my $note = $query->param('note'); my $scrubber = C4::Scrubber->new(); my $clean_note = $scrubber->scrub($note); + if ( $issue->set({ notedate => dt_from_string(), note => $clean_note, noteseen => 0 })->store ) { if ($clean_note) { # only send email if note not empty my $branch = Koha::Libraries->find( $issue->branchcode ); -- 2.39.5