From dd4800f08d688de940f61d50085ff178992f0628 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 19 Jan 2022 11:21:54 +0100 Subject: [PATCH] Bug 29903: Prevent messages to be deleted from unauthorised users The "Delete" link is hidden but the controller does not do the necessary checks. /cgi-bin/koha/circ/del_message.pl?message_id=1&borrowernumber=5&from=moremember Test plan: Create a message, see the "Delete" link, don't click it but copy it Change logged in library and use the link If AllowAllMessageDeletion is off you should be redirected to 403 Signed-off-by: Nick Clemens Signed-off-by: Fridolin Somers --- circ/del_message.pl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/circ/del_message.pl b/circ/del_message.pl index 778c458226..3e7c775666 100755 --- a/circ/del_message.pl +++ b/circ/del_message.pl @@ -39,6 +39,14 @@ my $borrowernumber = $input->param('borrowernumber'); my $message_id = $input->param('message_id'); my $message = Koha::Patron::Messages->find($message_id); +if ( $message + && !C4::Context->preference('AllowAllMessageDeletion') + && C4::Context->userenv->{'branch'} ne $message->branchcode ) +{ + print $input->redirect("/cgi-bin/koha/errors/403.pl"); + exit; +} + $message->delete if $message; if ( $input->param('from') eq "moremember" ) { -- 2.39.5