From bc3f4d1c565a10330d87c067592a69fdd0d20620 Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@esilibrary.com>
Date: Thu, 17 Apr 2014 16:09:40 +0000
Subject: [PATCH] Bug 9448: (follow-up) prevent unauthorized operator from
 bypassing check on forgiving overdue fines

This patch adds a step to verify that an operator has the writeoff
permission before allowing them to forgive overdue fines during
checkin, which was possible if the operator manually added an
"exemptfines" URL parameter.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>
---
 circ/returns.pl | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/circ/returns.pl b/circ/returns.pl
index 93f36f2130..4abac2e7a1 100755
--- a/circ/returns.pl
+++ b/circ/returns.pl
@@ -172,6 +172,14 @@ my $issueinformation;
 my $itemnumber;
 my $barcode     = $query->param('barcode');
 my $exemptfine  = $query->param('exemptfine');
+if (
+  $exemptfine &&
+  !C4::Auth::haspermission(C4::Context->userenv->{'id'}, {'updatecharges' => 'writeoff'})
+) {
+    # silently prevent unauthorized operator from forgiving overdue
+    # fines by manually tweaking form parameters
+    undef $exemptfine;
+}
 my $dropboxmode = $query->param('dropboxmode');
 my $dotransfer  = $query->param('dotransfer');
 my $canceltransfer = $query->param('canceltransfer');
-- 
2.39.2