From 30a0d4f6c97e783868128c051465722aefd95ac7 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 25 Oct 2017 17:29:16 -0300 Subject: [PATCH] Bug 19531: When saving patron record do not redirect to circ if not authorised If the logged in patron does not have the necessary permission we should not redirect to circulation.pl but moremember.pl instead Test plan: With the borrowers permission, you should be able to edit a patron and be redirect to the moremember page Signed-off-by: Katrin Fischer Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart --- members/memberentry.pl | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/members/memberentry.pl b/members/memberentry.pl index ed35e1b92d..fcb6c56c12 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -523,10 +523,18 @@ if ((!$nok) and $nodouble and ($op eq 'insert' or $op eq 'save')){ C4::Form::MessagingPreferences::handle_form_action($input, { borrowernumber => $borrowernumber }, $template); } } - print scalar ($destination eq "circ") ? - $input->redirect("/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber") : - $input->redirect("/cgi-bin/koha/members/moremember.pl?borrowernumber=$borrowernumber") ; - exit; # You can only send 1 redirect! After that, content or other headers don't matter. + + if ( $destination eq 'circ' and not C4::Auth::haspermission( C4::Context->userenv->{id}, { circulate => 'circulate_remaining_permissions' } ) ) { + # If we want to redirect to circulation.pl and need to check if the logged in user has the necessary permission + $destination = 'not_circ'; + } + print scalar( $destination eq "circ" ) + ? $input->redirect( + "/cgi-bin/koha/circ/circulation.pl?borrowernumber=$borrowernumber") + : $input->redirect( + "/cgi-bin/koha/members/moremember.pl?borrowernumber=$borrowernumber" + ); + exit; # You can only send 1 redirect! After that, content or other headers don't matter. } if ($delete){ -- 2.39.5