From 244a214333756fb376143a9280374055871b2a2d Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 19 Nov 2019 14:51:50 +0000 Subject: [PATCH] Bug 23634: Prevent non-superlibrarians from editing superlibarian emails This patchset prevents a non-superlibrarian user from editing a superlibrarians email address via memberentry. This is to prevent a privilege escalation vulnerability whereby a user could update a superlibrarians contact details to match their own and then request a password reset via the OPAC. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Lucas Gass (cherry picked from commit e4fdbd69722ee33fb0e7125f9a1b316e7f9f8b02) --- .../prog/en/includes/member-alt-address-style.inc | 4 ++++ .../prog/en/modules/members/memberentrygen.tt | 10 +++++++++- members/memberentry.pl | 10 +++++++++- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/member-alt-address-style.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/member-alt-address-style.inc index 69fb6649b8..7b3f9bbd70 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/member-alt-address-style.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/member-alt-address-style.inc @@ -222,7 +222,11 @@ + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + [% END %] [% IF ( mandatoryB_email ) %]Required[% END %] [% END %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 9ff3b1a8e7..b65bbfa93f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -712,7 +712,11 @@ legend:hover { [% END %] Primary email: + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + [% END %] [% IF ( mandatoryemail ) %] Required [% END %] @@ -729,12 +733,16 @@ legend:hover { [% END %] Secondary email: + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + [% END %] [% IF ( mandatoryemailpro ) %] Required [% END %] - [% END # /UNLESS noemailpro %] + [% END #/UNLESS noemailpro %] [% UNLESS nofax %]
  • diff --git a/members/memberentry.pl b/members/memberentry.pl index ec6c08c4c5..eb6d63d208 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -101,6 +101,7 @@ my $step = $input->param('step') || 0; my @errors; my $borrower_data; my $NoUpdateLogin; +my $NoUpdateEmail; my $userenv = C4::Context->userenv; my @messages; @@ -170,6 +171,11 @@ if ( $op eq 'modify' or $op eq 'save' or $op eq 'duplicate' ) { my $logged_in_user = Koha::Patrons->find( $loggedinuser ); output_and_exit_if_error( $input, $cookie, $template, { module => 'members', logged_in_user => $logged_in_user, current_patron => $patron } ); + # check permission to modify email info. + if ( $patron->is_superlibrarian && !$logged_in_user->is_superlibrarian ) { + $NoUpdateEmail = 1; + } + $borrower_data = $patron->unblessed; $borrower_data->{category_type} = $patron->category->category_type; } @@ -210,7 +216,8 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' ) push(@errors,"ERROR_$_"); } } - # check permission to modify login info. + + # check permission to modify login info. if (ref($borrower_data) && ($borrower_data->{'category_type'} eq 'S') && ! (C4::Auth::haspermission($userenv->{'id'},{'staffaccess'=>1})) ) { $NoUpdateLogin = 1; } @@ -831,6 +838,7 @@ $template->param( modify => $modify, nok => $nok,#flag to know if an error NoUpdateLogin => $NoUpdateLogin, + NoUpdateEmail => $NoUpdateEmail, ); # Generate CSRF token -- 2.39.5