From b402e8212186ca8a05d57b7b5656aa02a73e17d9 Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Thu, 4 Jul 2024 16:18:17 +0200 Subject: [PATCH] Bug 37247: [23.05.x] Fix subscriptions operation allowed without authentication Move close and reopen after get_template_and_user(). Also move Koha::Subscriptions->find(), not a good idea to run DB queries before authentication. Test plan : 1) Apply patch 2) Authenticate to staff interface 3) Go to an existing open subscription 4) Open a new browser tab and use it to log-out 5) Go to first tab and click on 'Close' 6) You get login page 7) Authenticate 8) Check subscription is not closed 9) Check you can close and reopen subscription Signed-off-by: Chris Cormack Signed-off-by: Martin Renvoize Signed-off-by: wainuiwitikapark --- serials/subscription-detail.pl | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/serials/subscription-detail.pl b/serials/subscription-detail.pl index 2ae5cd3ef7..60c28fd9cc 100755 --- a/serials/subscription-detail.pl +++ b/serials/subscription-detail.pl @@ -34,17 +34,11 @@ use Carp qw( carp ); use Koha::SharedContent; my $query = CGI->new; -my $op = $query->param('op') || q{}; + +my $op = $query->param('op') || q{}; my $issueconfirmed = $query->param('issueconfirmed'); -my $dbh = C4::Context->dbh; my $subscriptionid = $query->param('subscriptionid'); -if ( $op and $op eq "close" ) { - C4::Serials::CloseSubscription( $subscriptionid ); -} elsif ( $op and $op eq "reopen" ) { - C4::Serials::ReopenSubscription( $subscriptionid ); -} - # the subscription must be deletable if there is NO issues for a reason or another (should not happened, but...) # Permission needed if it is a deletion (del) : delete_subscription @@ -68,7 +62,13 @@ $subs->{enddate} ||= GetExpirationDate($subscriptionid); my ($totalissues,@serialslist) = GetSerials($subscriptionid); $totalissues-- if $totalissues; # the -1 is to have 0 if this is a new subscription (only 1 issue) -if ($op eq 'del') { +my $subscription = Koha::Subscriptions->find( $subscriptionid ); + +if ( $op and $op eq "close" ) { + C4::Serials::CloseSubscription( $subscriptionid ); +} elsif ( $op and $op eq "reopen" ) { + C4::Serials::ReopenSubscription( $subscriptionid ); +} elsif ($op eq 'del') { if ($$subs{'cannotedit'}){ carp "Attempt to delete subscription $subscriptionid by ".C4::Context->userenv->{'id'}." not allowed"; print $query->redirect("/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=$subscriptionid"); @@ -93,8 +93,7 @@ if ($op eq 'del') { print $query->redirect("/cgi-bin/koha/serials/serials-home.pl"); exit; } -} -elsif ( $op and $op eq "share" ) { +} elsif ( $op eq "share" ) { my $mana_language = $query->param('mana_language'); my $result = Koha::SharedContent::send_entity($mana_language, $loggedinuser, $subscriptionid, 'subscription'); $template->param( mana_code => $result->{msg} ); -- 2.39.5