From deffb12491fa1a928a427b25f55ea5929f030266 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 31 Jul 2020 11:15:57 +0200 Subject: [PATCH] Bug 10921: Prevent an order from a closed basket to be edited We don't allow editing of orders that are part of a closed basket, but we don't enforce the rule in the controller file. This patch use output_and_exit to stop the script and display an error to the end user. Test plan: Create a basket, add an order On the basket view you see the "Modify" link, open it in a separate tab => You can edit the basket Keep this tab open, get back to the other one and close the basket Reload the tab with the order edition form => You cannot longer edit the basket QA: Do we need a check in addorder.pl as well? Signed-off-by: Henry Bolshaw Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart Signed-off-by: Jonathan Druart (cherry picked from commit 0310e973a4c28a7e02baad03799eb40869ce4506) Signed-off-by: Lucas Gass --- acqui/neworderempty.pl | 14 ++++++++++---- .../prog/en/includes/blocking_errors.inc | 2 ++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/acqui/neworderempty.pl b/acqui/neworderempty.pl index 40e4444f69..6aa84b0a38 100755 --- a/acqui/neworderempty.pl +++ b/acqui/neworderempty.pl @@ -135,6 +135,16 @@ my $bookseller = Koha::Acquisition::Booksellers->find( $booksellerid ); output_and_exit( $input, $cookie, $template, 'unknown_basket') unless $basketobj; output_and_exit( $input, $cookie, $template, 'unknown_vendor') unless $bookseller; +$template->param( + ordernumber => $ordernumber, + basketno => $basketno, + basket => $basket, + booksellerid => $basket->{'booksellerid'}, + name => $bookseller->name, +); +output_and_exit( $input, $cookie, $template, 'order_cannot_be_edited' ) + if $ordernumber and $basketobj->closedate; + my $contract = GetContract({ contractnumber => $basket->{contractnumber} }); @@ -406,10 +416,7 @@ $quantity //= 0; # fill template $template->param( existing => $biblionumber, - ordernumber => $ordernumber, # basket informations - basketno => $basketno, - basket => $basket, basketname => $basket->{'basketname'}, basketnote => $basket->{'note'}, booksellerid => $basket->{'booksellerid'}, @@ -434,7 +441,6 @@ $template->param( order_vendornote => $data->{'order_vendornote'}, listincgst => $bookseller->listincgst, invoiceincgst => $bookseller->invoiceincgst, - name => $bookseller->name, cur_active_sym => $active_currency->symbol, cur_active => $active_currency->currency, currencies => \@currencies, diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/blocking_errors.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/blocking_errors.inc index 146264a10f..0bd778b76c 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/blocking_errors.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/blocking_errors.inc @@ -13,6 +13,8 @@
Basket not found.
[% CASE 'unknown_vendor' %]
Vendor not found.
+ [% CASE 'order_cannot_be_edited' %] +
This order cannot be edited, the basket is closed.
[% CASE 'wrong_csrf_token' %]
The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.
[% CASE 'budget_is_locked' %] -- 2.39.5