From 89cda847a1852a0b42b79f245af57ec4ae429bd3 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Tue, 9 Nov 2010 22:00:50 -0500 Subject: [PATCH] follow-up to reports permissions patch * Enforce the requirement that the user must have the create_reports permission in order to delete a saved report; closes hole where unprivileged user could delete reports by constructing a URL maliciously * Added another tweak of the template - don't offer option to create a new report if the user doesn't have permission. Signed-off-by: Galen Charlton Signed-off-by: Chris Cormack --- .../prog/en/modules/reports/guided_reports_start.tmpl | 7 ++++++- reports/guided_reports.pl | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl index 320c8512dc..c5868a0b44 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl @@ -134,7 +134,12 @@ canned reports and writing custom SQL reports.

-

There are no saved reports. Build new?

+

There are no saved reports. + + Build new? + +

+ diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl index f5139ddf78..4be4e79859 100755 --- a/reports/guided_reports.pl +++ b/reports/guided_reports.pl @@ -44,7 +44,7 @@ my $input = new CGI; my $phase = $input->param('phase'); my $flagsrequired; -if ( $phase eq 'Build new' ) { +if ( $phase eq 'Build new' or $phase eq 'Delete Saved' ) { $flagsrequired = 'create_reports'; } elsif ( $phase eq 'Use saved' ) { -- 2.39.2