From 6674a3b80fe5ce3f443dbd1e9959b0fe31e80021 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 5 Jan 2022 15:25:48 +0100 Subject: [PATCH] Bug 29543: Prevent user to checkin or renew items they don't own Checkin or renew must be restricted to the items they own. Test plan: Create an item with barcode bc_1 Check it in to user A Login to SCO with user B Get the token using the browser dev tool, from the cookie Hit (replace $JWT) /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=renew&barcode=bc_1 /cgi-bin/koha/sco/sco-main.pl?jwt=$JWT&op=returnbook&barcode=bc_1 You should see an error message Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall (cherry picked from commit 839b7c4a5c8bdba62776fdb74c5f2125622a9ff0) Signed-off-by: Victor Grousset/tuxayo --- .../bootstrap/en/modules/sco/sco-main.tt | 5 +++ opac/sco/sco-main.pl | 36 +++++++++++++------ 2 files changed, 30 insertions(+), 11 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt index 5705a9e03c..fb8918f92e 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/sco/sco-main.tt @@ -199,6 +199,11 @@

Item renewed

+ [% ELSIF ( renewed == 0) %] + +
+

Item not renewed

+
[% ELSIF ( returned == 0 ) %]
diff --git a/opac/sco/sco-main.pl b/opac/sco/sco-main.pl index 616ffad924..ac25bba89a 100755 --- a/opac/sco/sco-main.pl +++ b/opac/sco/sco-main.pl @@ -139,19 +139,28 @@ my $confirm_required = 0; my $return_only = 0; if ( $patron && $op eq "returnbook" && $allowselfcheckreturns ) { - my $success = 0; - my $human_required = 0; + my $success = 1; + + my $item = Koha::Items->find( { barcode => $barcode } ); - if ( C4::Context->preference("CircConfirmItemParts") ) { + if ( $success && C4::Context->preference("CircConfirmItemParts") ) { if ( defined($item) && $item->materials ) { - $human_required = 1; + $success = 0; } } - ($success) = AddReturn( $barcode, $branch ) - unless $human_required; + if ($success) { + # Patron cannot checkin an item they don't own + $success = 0 + unless $patron->checkouts->find( { itemnumber => $item->itemnumber } ); + } + + if ( $success ) { + ($success) = AddReturn( $barcode, $branch ) + } + $template->param( returned => $success ); } elsif ( $patron && ( $op eq 'checkout' ) ) { @@ -267,11 +276,16 @@ elsif ( $patron && ( $op eq 'checkout' ) ) { if ( $patron && ( $op eq 'renew' ) ) { my $item = Koha::Items->find({ barcode => $barcode }); - my ($status,$renewerror) = CanBookBeRenewed( $patron->borrowernumber, $item->itemnumber ); - if ($status) { - AddRenewal( $patron->borrowernumber, $item->itemnumber, undef, undef, undef, undef, 1 ); - push @newissueslist, $barcode; - $template->param( renewed => 1 ); + + if ( $patron->checkouts->find( { itemnumber => $item->itemnumber } ) ) { + my ($status,$renewerror) = CanBookBeRenewed( $patron->borrowernumber, $item->itemnumber ); + if ($status) { + AddRenewal( $patron->borrowernumber, $item->itemnumber, undef, undef, undef, undef, 1 ); + push @newissueslist, $barcode; + $template->param( renewed => 1 ); + } + } else { + $template->param( renewed => 0 ); } } -- 2.39.5