From 51157a763bf03f7aa11b3c7b6692f5e63cec1333 Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Thu, 4 Jul 2024 16:18:17 +0200 Subject: [PATCH] Bug 37247: Fix subscriptions operation allowed without authentication Move close and reopen after get_template_and_user(). Also move Koha::Subscriptions->find(), not a good idea to run DB queries before authentication. Test plan : 1) Apply patch 2) Authenticate to staff interface 3) Go to an existing open subscription 4) Open a new browser tab and use it to log-out 5) Go to first tab and click on 'Close' 6) You get login page 7) Authenticate 8) Check subscription is not closed 9) Check you can close and reopen subscription Signed-off-by: Chris Cormack Signed-off-by: Martin Renvoize --- serials/subscription-detail.pl | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/serials/subscription-detail.pl b/serials/subscription-detail.pl index 74a0ee8aab..488cb6dfde 100755 --- a/serials/subscription-detail.pl +++ b/serials/subscription-detail.pl @@ -34,17 +34,10 @@ use Carp qw( carp ); use Koha::SharedContent; my $query = CGI->new; -my $op = $query->param('op') || q{}; + +my $op = $query->param('op') || q{}; my $issueconfirmed = $query->param('issueconfirmed'); -my $dbh = C4::Context->dbh; my $subscriptionid = $query->param('subscriptionid'); -my $subscription = Koha::Subscriptions->find( $subscriptionid ); - -if ( $op and $op eq "close" ) { - C4::Serials::CloseSubscription( $subscriptionid ); -} elsif ( $op and $op eq "reopen" ) { - C4::Serials::ReopenSubscription( $subscriptionid ); -} # the subscription must be deletable if there is NO issues for a reason or another (should not happened, but...) @@ -69,7 +62,13 @@ $subs->{enddate} ||= GetExpirationDate($subscriptionid); my ($totalissues,@serialslist) = GetSerials($subscriptionid); $totalissues-- if $totalissues; # the -1 is to have 0 if this is a new subscription (only 1 issue) -if ($op eq 'del') { +my $subscription = Koha::Subscriptions->find( $subscriptionid ); + +if ( $op and $op eq "close" ) { + C4::Serials::CloseSubscription( $subscriptionid ); +} elsif ( $op and $op eq "reopen" ) { + C4::Serials::ReopenSubscription( $subscriptionid ); +} elsif ($op eq 'del') { if ($$subs{'cannotedit'}){ carp "Attempt to delete subscription $subscriptionid by ".C4::Context->userenv->{'id'}." not allowed"; print $query->redirect("/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=$subscriptionid"); @@ -94,8 +93,7 @@ if ($op eq 'del') { print $query->redirect("/cgi-bin/koha/serials/serials-home.pl"); exit; } -} -elsif ( $op and $op eq "share" ) { +} elsif ( $op eq "share" ) { my $mana_language = $query->param('mana_language'); my $result = Koha::SharedContent::send_entity($mana_language, $loggedinuser, $subscriptionid, 'subscription'); $template->param( mana_code => $result->{msg} ); -- 2.39.5