From fc22f96aace8cd918b1a350b4bbd7591944943c1 Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Thu, 4 Jul 2024 16:18:17 +0200 Subject: [PATCH] Bug 37247: Fix subscriptions operation allowed without authentication Move close and reopen after get_template_and_user(). Also move Koha::Subscriptions->find(), not a good idea to run DB queries before authentication. Test plan : 1) Apply patch 2) Authenticate to staff interface 3) Go to an existing open subscription 4) Open a new browser tab and use it to log-out 5) Go to first tab and click on 'Close' 6) You get login page 7) Authenticate 8) Check subscription is not closed 9) Check you can close and reopen subscription Signed-off-by: Chris Cormack Signed-off-by: Martin Renvoize Signed-off-by: Lucas Gass --- serials/subscription-detail.pl | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/serials/subscription-detail.pl b/serials/subscription-detail.pl index d033ab30d8..2f3518d4a8 100755 --- a/serials/subscription-detail.pl +++ b/serials/subscription-detail.pl @@ -34,17 +34,10 @@ use Carp qw( carp ); use Koha::SharedContent; my $query = CGI->new; -my $op = $query->param('op') || q{}; + +my $op = $query->param('op') || q{}; my $issueconfirmed = $query->param('issueconfirmed'); -my $dbh = C4::Context->dbh; my $subscriptionid = $query->param('subscriptionid'); -my $subscription = Koha::Subscriptions->find( $subscriptionid ); - -if ( $op and $op eq "cud-close" ) { - C4::Serials::CloseSubscription( $subscriptionid ); -} elsif ( $op and $op eq "cud-reopen" ) { - C4::Serials::ReopenSubscription( $subscriptionid ); -} # the subscription must be deletable if there is NO issues for a reason or another (should not happened, but...) @@ -69,7 +62,13 @@ $subs->{enddate} ||= GetExpirationDate($subscriptionid); my ($totalissues,@serialslist) = GetSerials($subscriptionid); $totalissues-- if $totalissues; # the -1 is to have 0 if this is a new subscription (only 1 issue) -if ($op eq 'cud-del') { +my $subscription = Koha::Subscriptions->find( $subscriptionid ); + +if ( $op eq "cud-close" ) { + C4::Serials::CloseSubscription( $subscriptionid ); +} elsif ( $op eq "cud-reopen" ) { + C4::Serials::ReopenSubscription( $subscriptionid ); +} elsif ( $op eq "cud-del" ) { if ($$subs{'cannotedit'}){ carp "Attempt to delete subscription $subscriptionid by ".C4::Context->userenv->{'id'}." not allowed"; print $query->redirect("/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=$subscriptionid"); @@ -94,8 +93,7 @@ if ($op eq 'cud-del') { print $query->redirect("/cgi-bin/koha/serials/serials-home.pl"); exit; } -} -elsif ( $op and $op eq "share" ) { +} elsif ( $op eq "share" ) { my $mana_language = $query->param('mana_language'); my $result = Koha::SharedContent::send_entity($mana_language, $loggedinuser, $subscriptionid, 'subscription'); $template->param( mana_code => $result->{msg} ); -- 2.39.5