From 2ec64eaa23df015adae3e7725e27bf9f918cd8e1 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 19 Jan 2022 11:21:54 +0100
Subject: [PATCH] Bug 29903: Prevent messages to be deleted from unauthorised
 users

The "Delete" link is hidden but the controller does not do the necessary checks.

/cgi-bin/koha/circ/del_message.pl?message_id=1&borrowernumber=5&from=moremember

Test plan:
Create a message, see the "Delete" link, don't click it but copy it
Change logged in library and use the link
If AllowAllMessageDeletion is off you should be redirected to 403

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit a2b9a76431a887aad7ebcee7b34fb921159271fd)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 5f9b8321ae6b2f5adc9e0c21dcd9f780b59c47d5)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 circ/del_message.pl | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/circ/del_message.pl b/circ/del_message.pl
index 36c25c3f2e..deaafa16ab 100755
--- a/circ/del_message.pl
+++ b/circ/del_message.pl
@@ -40,6 +40,14 @@ my $borrowernumber = $input->param('borrowernumber');
 my $message_id     = $input->param('message_id');
 
 my $message = Koha::Patron::Messages->find($message_id);
+if ( $message
+    && !C4::Context->preference('AllowAllMessageDeletion')
+    && C4::Context->userenv->{'branch'} ne $message->branchcode )
+{
+    print $input->redirect("/cgi-bin/koha/errors/403.pl");
+    exit;
+}
+
 $message->delete if $message;
 
 if ( $input->param('from') eq  "moremember" ) {
-- 
2.39.5