From 3cc0e7cae3ab063a0e77a12123177bb26348f20a Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 19 Nov 2019 14:51:50 +0000 Subject: [PATCH] Bug 23634: Prevent non-superlibrarians from editing superlibarian emails This patchset prevents a non-superlibrarian user from editing a superlibrarians email address via memberentry. This is to prevent a privilege escalation vulnerability whereby a user could update a superlibrarians contact details to match their own and then request a password reset via the OPAC. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Aleisha Amohia (cherry picked from commit e707fdf7b6ca155ec9abd47e2e8aef1549f01f10) Signed-off-by: Victor Grousset/tuxayo --- .../prog/en/modules/members/memberentrygen.tt | 12 ++++++++++-- members/memberentry.pl | 10 +++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index e96b165db4..a696303996 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -480,7 +480,11 @@ - + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + + [% END %] [% IF ( mandatoryemail ) %]Required[% END %]
Shows on transit slips
@@ -493,7 +497,11 @@ - + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + + [% END %] [% IF ( mandatoryemailpro ) %]Required[% END %] [% END %] diff --git a/members/memberentry.pl b/members/memberentry.pl index 9f577afffc..c414a64bb4 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -103,6 +103,7 @@ my $step = $input->param('step') || 0; my @errors; my $borrower_data; my $NoUpdateLogin; +my $NoUpdateEmail; my $userenv = C4::Context->userenv; ## Deal with debarments @@ -153,6 +154,11 @@ if ( $op eq 'modify' or $op eq 'save' or $op eq 'duplicate' ) { my $logged_in_user = Koha::Patrons->find( $loggedinuser ) or die "Not logged in"; output_and_exit_if_error( $input, $cookie, $template, { module => 'members', logged_in_user => $logged_in_user, current_patron => $patron } ); + # check permission to modify email info. + if ( $patron->is_superlibrarian && !$logged_in_user->is_superlibrarian ) { + $NoUpdateEmail = 1; + } + $borrower_data = $patron->unblessed; $borrower_data->{category_type} = $patron->category->category_type; } @@ -193,7 +199,8 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' ) push(@errors,"ERROR_$_"); } } - # check permission to modify login info. + + # check permission to modify login info. if (ref($borrower_data) && ($borrower_data->{'category_type'} eq 'S') && ! (C4::Auth::haspermission($userenv->{'id'},{'staffaccess'=>1})) ) { $NoUpdateLogin = 1; } @@ -786,6 +793,7 @@ $template->param( modify => $modify, nok => $nok,#flag to know if an error NoUpdateLogin => $NoUpdateLogin, + NoUpdateEmail => $NoUpdateEmail, ); # Generate CSRF token -- 2.39.5