From 3034c028264f072fc1a447a11a518255282fc990 Mon Sep 17 00:00:00 2001 From: Nick Clemens Date: Thu, 16 May 2019 10:54:03 +0000 Subject: [PATCH] Bug 22724: Check permissions in the script before displaying template Signed-off-by: Liz Rea Signed-off-by: Nick Clemens --- members/paycollect.pl | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/members/paycollect.pl b/members/paycollect.pl index cecf2e3fb2..f105c8e398 100755 --- a/members/paycollect.pl +++ b/members/paycollect.pl @@ -36,7 +36,10 @@ use Koha::Token; my $input = CGI->new(); -my $updatecharges_permissions = $input->param('writeoff_individual') ? 'writeoff' : 'remaining_permissions'; +my $writeoff_individual = $input->param('writeoff_individual'); +my $type = scalar $input->param('type') || 'payment'; + +my $updatecharges_permissions = ($writeoff_individual || $type eq 'writeoff') ? 'writeoff' : 'remaining_permissions'; my ( $template, $loggedinuser, $cookie ) = get_template_and_user( { template_name => 'members/paycollect.tt', query => $input, @@ -62,19 +65,17 @@ my $total_due = $patron->account->outstanding_debits->total_outstanding; my $total_paid = $input->param('paid'); -my $individual = $input->param('pay_individual'); -my $writeoff = $input->param('writeoff_individual'); my $select_lines = $input->param('selected'); +my $pay_individual = $input->param('pay_individual'); my $select = $input->param('selected_accts'); my $payment_note = uri_unescape scalar $input->param('payment_note'); my $payment_type = scalar $input->param('payment_type'); -my $type = scalar $input->param('type') || 'payment', my $accountlines_id; -if ( $individual || $writeoff ) { - if ($individual) { +if ( $pay_individual || $writeoff_individual ) { + if ($pay_individual) { $template->param( pay_individual => 1 ); - } elsif ($writeoff) { + } elsif ($writeoff_individual) { $template->param( writeoff_individual => 1 ); } my $accounttype = $input->param('accounttype'); @@ -117,7 +118,7 @@ if ( $total_paid and $total_paid ne '0.00' ) { token => scalar $input->param('csrf_token'), }); - if ($individual) { + if ($pay_individual) { my $line = Koha::Account::Lines->find($accountlines_id); Koha::Account->new( { patron_id => $borrowernumber } )->pay( { -- 2.39.5