From e9591ae761c569b12c7641d9cc1733c4879108fe Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Mon, 20 Jul 2020 09:44:05 +0100 Subject: [PATCH] Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart (cherry picked from commit 4356e678f2254707c48a6f89658ed089a6b9e662) Signed-off-by: Lucas Gass --- .../prog/en/modules/pos/registers.tt | 20 ++++++++++++- pos/registers.pl | 29 +++++++++++-------- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt index 026dd1c9fa..384bae596c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt @@ -25,9 +25,18 @@ can record payments. [% ELSE %] + + [% IF ( error_cashup_permission ) %] +
+ You do not have permission to perform cashup actions. +
+ [% END %] + + [% IF CAN_user_cash_management_cashup %]
+ [% END %]

Library transaction details for [% library.branchname | html %]

@@ -47,7 +56,9 @@ Bankable Income (cash) Outgoing (cash) + [% IF CAN_user_cash_management_cashup %] Actions + [% END %] [% SET bankable = 0, ctotal = 0, dtotal = 0, cctotal = 0, cdtotal = 0 %] @@ -81,9 +92,12 @@ [% rdtotal | $Price %] ([% rcdtotal | $Price %]) [% SET dtotal = dtotal + rdtotal %] [% SET cdtotal = cdtotal + rcdtotal %] + + [% IF CAN_user_cash_management_cashup %] + [% END %] [% END %] @@ -93,7 +107,11 @@ [% bankable | $Price %] [% ctotal | $Price %] ([% cctotal | $Price %]) [% dtotal | $Price %] ([% cdtotal | $Price %]) - + [% IF CAN_user_cash_management_cashup %] + + + + [% END %] diff --git a/pos/registers.pl b/pos/registers.pl index c2194a2417..44c81363fb 100755 --- a/pos/registers.pl +++ b/pos/registers.pl @@ -56,18 +56,10 @@ else { my $op = $input->param('op') // ''; if ( $op eq 'cashup' ) { - my $registerid = $input->param('registerid'); - if ($registerid) { - my $register = Koha::Cash::Registers->find( { id => $registerid } ); - $register->add_cashup( - { - manager_id => $logged_in_user->id, - amount => $register->outstanding_accountlines->total - } - ); - } - else { - for my $register ( $registers->as_list ) { + if ( $logged_in_user->has_permission( { cash_management => 'cashup' } ) ) { + my $registerid = $input->param('registerid'); + if ($registerid) { + my $register = Koha::Cash::Registers->find( { id => $registerid } ); $register->add_cashup( { manager_id => $logged_in_user->id, @@ -75,6 +67,19 @@ if ( $op eq 'cashup' ) { } ); } + else { + for my $register ( $registers->as_list ) { + $register->add_cashup( + { + manager_id => $logged_in_user->id, + amount => $register->outstanding_accountlines->total + } + ); + } + } + } + else { + $template->param( error_cashup_permission => 1 ); } } -- 2.39.5