From 1a54f0916ed96ae717cdca8ece53cf5998bafec3 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Marc=20V=C3=A9ron?= Date: Thu, 23 Apr 2015 22:50:17 +0200 Subject: [PATCH] Bug 13910: Prevent delete of one's own patron account This patch adds a check to prevent deleting the user's own account. Additionali it fixes a "missing link" in moremember.pl and wrong comparisions in moremember.tt regarding other forbidden deleting. To test: - Apply patch - Create a user with sufficient privileges to delete users - Log in as this new user - Try to delete this user. Confirm message box "Are you sure..." - Confirm that you get a message "Not allowed to delete own account" and that the user still exists. Bonus test: Try to trigger other forbidden deletions (see members/deletemem.pl): 'CANT_DELETE_STAFF', 'CANT_DELETE_OTHERLIBRARY', 'CANT_DELETE' (You can fake it by using an URL like: /cgi-bin/koha/members/moremember.pl?borrowernumber=115&error=CANT_DELETE_STAFF etc.) Without patch, no message appears. With patch, messages appear as appropriate. Signed-off-by: Mark Tompsett NOTE: Attempted all CANT combinations. From reading the code, this is kind of an important patch, because I'm not sure deleting error messages work at all right now based on what I read. Signed-off-by: Jonathan Druart Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- .../prog/en/modules/members/moremember.tt | 13 +++++++++---- members/deletemem.pl | 6 ++++++ members/moremember.pl | 2 ++ 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt index 9fc1482d37..72cad8401b 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt @@ -140,22 +140,27 @@ function validate1(date) {
[% INCLUDE 'members-toolbar.inc' %] + [% IF ( error ) %]
- [% IF ( AUTH_UPDATE_FAILED ) %] + [% IF ( error == 'AUTH_UPDATE_FAILED' ) %]

Userid / Password update failed

Insufficient privileges.

Other fields updated.

[% END %] - [% IF ( CANT_DELETE_STAFF ) %] + [% IF ( error == 'CANT_DELETE_STAFF' ) %]

Unable to delete staff user

Insufficient privileges.

[% END %] - [% IF ( CANT_DELETE_OTHERLIBRARY ) %] + [% IF ( error == 'CANT_DELETE_YOURSELF' ) %] +

Not allowed to delete own account

+

Deleting your own account would lock you out of Koha.

+ [% END %] + [% IF ( error == 'CANT_DELETE_OTHERLIBRARY' ) %]

Unable to delete patrons from other libraries with current settings

Insufficient privileges.

[% END %] - [% IF ( CANT_DELETE ) %] + [% IF ( error == 'CANT_DELETE' ) %]

Unable to delete patron

Insufficient privileges.

[% END %] diff --git a/members/deletemem.pl b/members/deletemem.pl index 981e3e3ce6..972a898a97 100755 --- a/members/deletemem.pl +++ b/members/deletemem.pl @@ -50,6 +50,12 @@ my ($template, $borrowernumber, $cookie) #print $input->header; my $member = $input->param('member'); +#Do not delete yourself... +if ($borrowernumber == $member ) { + print $input->redirect("/cgi-bin/koha/members/moremember.pl?borrowernumber=$member&error=CANT_DELETE_YOURSELF"); + exit 1; +} + # Handle deletion from the Norwegian national patron database, if it is enabled # If the "deletelocal" parameter is set to "false", the regular deletion will be # short circuited, and only a deletion from the national database can be carried diff --git a/members/moremember.pl b/members/moremember.pl index 3a54ec9eca..d448b918e3 100755 --- a/members/moremember.pl +++ b/members/moremember.pl @@ -112,6 +112,8 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( } ); my $borrowernumber = $input->param('borrowernumber'); +my $error = $input->param('error'); +$template->param( error => $error ) if ( $error ); my ( $od, $issue, $fines ) = GetMemberIssuesAndFines($borrowernumber); $template->param( issuecount => $issue ); -- 2.39.5