From e0420165694c790f2346fb598862e4aacfdf0fcc Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 4 Aug 2020 15:02:03 +0100 Subject: [PATCH] Bug 26023: Properly secure the cashup and refund actions The cash register summary page for cash management is available for users with the 'anonymous_refund' or 'cashup' permission and the actions available are appropriately displayed. However, the actions are not yet correctly tested for at the server and so a user may force submit to accomplish the action. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart --- .../prog/en/modules/pos/register.tt | 12 +++ pos/register.pl | 82 +++++++++++-------- 2 files changed, 58 insertions(+), 36 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt index f995580f33..6970d1d6cc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt @@ -36,6 +36,18 @@ [% ELSE %] + [% IF ( error_cashup_permission ) %] +
+ You do not have permission to perform cashup actions. +
+ [% END %] + + [% IF ( error_refund_permission ) %] +
+ You do not have permission to perform refund actions. +
+ [% END %] + [% IF ( CAN_user_cash_management_cashup ) %]
diff --git a/pos/register.pl b/pos/register.pl index ada83c470f..e73f3c14c9 100755 --- a/pos/register.pl +++ b/pos/register.pl @@ -102,45 +102,55 @@ else { my $op = $input->param('op') // ''; if ( $op eq 'cashup' ) { - $cash_register->add_cashup( - { - manager_id => $logged_in_user->id, - amount => $cash_register->outstanding_accountlines->total - } - ); + if ( $logged_in_user->has_permission( { cash_management => 'cashup' } ) ) { + $cash_register->add_cashup( + { + manager_id => $logged_in_user->id, + amount => $cash_register->outstanding_accountlines->total + } + ); + } + else { + $template->param( error_cashup_permission => 1 ); + } } elsif ( $op eq 'refund' ) { - my $amount = $input->param('amount'); - my $quantity = $input->param('quantity'); - my $accountline_id = $input->param('accountline'); - my $transaction_type = $input->param('transaction_type'); - - my $accountline = Koha::Account::Lines->find($accountline_id); - $schema->txn_do( - sub { - - my $refund = $accountline->reduce( - { - reduction_type => 'Refund', - branch => $library_id, - staff_id => $logged_in_user->id, - interface => 'intranet', - amount => $amount - } - ); - my $payout = $refund->payout( - { - payout_type => $transaction_type, - branch => $library_id, - staff_id => $logged_in_user->id, - cash_register => $cash_register->id, - interface => 'intranet', - amount => $amount - } - ); + if ( $logged_in_user->has_permission( { cash_management => 'anonymous_refund' } ) ) { + my $amount = $input->param('amount'); + my $quantity = $input->param('quantity'); + my $accountline_id = $input->param('accountline'); + my $transaction_type = $input->param('transaction_type'); + + my $accountline = Koha::Account::Lines->find($accountline_id); + $schema->txn_do( + sub { + + my $refund = $accountline->reduce( + { + reduction_type => 'Refund', + branch => $library_id, + staff_id => $logged_in_user->id, + interface => 'intranet', + amount => $amount + } + ); + my $payout = $refund->payout( + { + payout_type => $transaction_type, + branch => $library_id, + staff_id => $logged_in_user->id, + cash_register => $cash_register->id, + interface => 'intranet', + amount => $amount + } + ); - } - ); + } + ); + } + else { + $template->param( error_refund_permission => 1 ); + } } } -- 2.39.5