From 813a45767d617777d89bdfc21b78c49d5c743b09 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 19 Nov 2019 14:51:50 +0000 Subject: [PATCH] Bug 23634: Prevent non-superlibrarians from editing superlibarian emails This patchset prevents a non-superlibrarian user from editing a superlibrarians email address via memberentry. This is to prevent a privilege escalation vulnerability whereby a user could update a superlibrarians contact details to match their own and then request a password reset via the OPAC. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Aleisha Amohia Signed-off-by: Aleisha Amohia --- .../prog/en/modules/members/memberentrygen.tt | 8 ++++++++ members/memberentry.pl | 10 +++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 19b9c2d2a0..38eada710f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -602,7 +602,11 @@ + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + [% END %] [% IF ( mandatoryemail ) %]Required[% END %]
Shows on transit slips
[% END %] @@ -615,7 +619,11 @@ + [% IF ( NoUpdateEmail ) %] + + [% ELSE %] + [% END %] [% IF ( mandatoryemailpro ) %]Required[% END %] [% END %] diff --git a/members/memberentry.pl b/members/memberentry.pl index 488c4e70aa..710ba33786 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -102,6 +102,7 @@ my $step = $input->param('step') || 0; my @errors; my $borrower_data; my $NoUpdateLogin; +my $NoUpdateEmail; my $userenv = C4::Context->userenv; my @messages; @@ -167,6 +168,11 @@ if ( $op eq 'modify' or $op eq 'save' or $op eq 'duplicate' ) { my $logged_in_user = Koha::Patrons->find( $loggedinuser ) or die "Not logged in"; output_and_exit_if_error( $input, $cookie, $template, { module => 'members', logged_in_user => $logged_in_user, current_patron => $patron } ); + # check permission to modify email info. + if ( $patron->is_superlibrarian && !$logged_in_user->is_superlibrarian ) { + $NoUpdateEmail = 1; + } + $borrower_data = $patron->unblessed; $borrower_data->{category_type} = $patron->category->category_type; } @@ -207,7 +213,8 @@ if ( $op eq 'insert' || $op eq 'modify' || $op eq 'save' || $op eq 'duplicate' ) push(@errors,"ERROR_$_"); } } - # check permission to modify login info. + + # check permission to modify login info. if (ref($borrower_data) && ($borrower_data->{'category_type'} eq 'S') && ! (C4::Auth::haspermission($userenv->{'id'},{'staffaccess'=>1})) ) { $NoUpdateLogin = 1; } @@ -826,6 +833,7 @@ $template->param( modify => $modify, nok => $nok,#flag to know if an error NoUpdateLogin => $NoUpdateLogin, + NoUpdateEmail => $NoUpdateEmail, ); # Generate CSRF token -- 2.39.5