From 0b931d5de3c4fe9fa2b4823d9b8727b28a46aa7c Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 14 Feb 2019 17:03:17 -0300 Subject: [PATCH] Bug 22068: Prevent patrons to cancel article request they did not create opac-article-request-cancel.pl doesn't check that the article request to be cancelled actually belongs to the logged-in borrower. This results in any logged-in user being able to cancel any article request just by changing the id in the URL. Test plan: - Login with Patron P1, create an article request - Cancel it - Create another one - Copy the cancellation link (must be /cgi-bin/koha/opac-article-request-cancel.pl?id=X) - Login with Patron P2 - Hit the cancellation link => Without this patch the article request is cancelled => With this patch applied there is a 404 redirection Note that the 404 will also appears when the article request id does not exist. Signed-off-by: Ere Maijala Signed-off-by: Tomas Cohen Arazi Signed-off-by: Nick Clemens --- opac/opac-article-request-cancel.pl | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/opac/opac-article-request-cancel.pl b/opac/opac-article-request-cancel.pl index baaa0ae7c9..0305808a4b 100755 --- a/opac/opac-article-request-cancel.pl +++ b/opac/opac-article-request-cancel.pl @@ -39,9 +39,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user( my $id = $query->param('id'); -if ( $id && $borrowernumber ) { +if ( $id ) { my $ar = Koha::ArticleRequests->find( $id ); - $ar->cancel() if $ar; + if ( !$ar || $ar->borrowernumber != $borrowernumber ) { + print $query->redirect("/cgi-bin/koha/errors/404.pl"); + exit; + } + + $ar->cancel(); } print $query->redirect("/cgi-bin/koha/opac-user.pl#opac-user-article-requests"); -- 2.39.5