From 28c609b902e02a6c1183c9270c607ce1b5ed6404 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 19 Jan 2022 11:21:54 +0100 Subject: [PATCH] Bug 29903: Prevent messages to be deleted from unauthorised users The "Delete" link is hidden but the controller does not do the necessary checks. /cgi-bin/koha/circ/del_message.pl?message_id=1&borrowernumber=5&from=moremember Test plan: Create a message, see the "Delete" link, don't click it but copy it Change logged in library and use the link If AllowAllMessageDeletion is off you should be redirected to 403 Signed-off-by: Nick Clemens Signed-off-by: Andrew Fuerste-Henry --- circ/del_message.pl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/circ/del_message.pl b/circ/del_message.pl index 496ab65567..0e16c3cef9 100755 --- a/circ/del_message.pl +++ b/circ/del_message.pl @@ -40,6 +40,14 @@ my $borrowernumber = $input->param('borrowernumber'); my $message_id = $input->param('message_id'); my $message = Koha::Patron::Messages->find($message_id); +if ( $message + && !C4::Context->preference('AllowAllMessageDeletion') + && C4::Context->userenv->{'branch'} ne $message->branchcode ) +{ + print $input->redirect("/cgi-bin/koha/errors/403.pl"); + exit; +} + $message->delete if $message; if ( $input->param('from') eq "moremember" ) { -- 2.39.5