From 2e705d368034e2a06ccb6b31ccc249a60e341f42 Mon Sep 17 00:00:00 2001
From: Nick Clemens <nick@bywatersolutions.com>
Date: Thu, 16 May 2019 10:54:03 +0000
Subject: [PATCH] Bug 22724: Check permissions in the script before displaying
 template

Signed-off-by: Liz Rea <wizzyrea@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 3034c028264f072fc1a447a11a518255282fc990)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
---
 members/paycollect.pl | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/members/paycollect.pl b/members/paycollect.pl
index abd96b5de3..111448848c 100755
--- a/members/paycollect.pl
+++ b/members/paycollect.pl
@@ -37,7 +37,10 @@ use Koha::Token;
 
 my $input = CGI->new();
 
-my $updatecharges_permissions = $input->param('writeoff_individual') ? 'writeoff' : 'remaining_permissions';
+my $writeoff_individual       = $input->param('writeoff_individual');
+my $type                      = scalar $input->param('type') || 'payment';
+
+my $updatecharges_permissions = ($writeoff_individual || $type eq 'writeoff') ? 'writeoff' : 'remaining_permissions';
 my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {   template_name   => 'members/paycollect.tt',
         query           => $input,
@@ -63,19 +66,17 @@ my $total_due = $patron->account->outstanding_debits->total_outstanding;
 
 my $total_paid = $input->param('paid');
 
-my $individual   = $input->param('pay_individual');
-my $writeoff     = $input->param('writeoff_individual');
 my $select_lines = $input->param('selected');
+my $pay_individual   = $input->param('pay_individual');
 my $select       = $input->param('selected_accts');
 my $payment_note = uri_unescape scalar $input->param('payment_note');
 my $payment_type = scalar $input->param('payment_type');
-my $type         = scalar $input->param('type') || 'payment',
 my $accountlines_id;
 
-if ( $individual || $writeoff ) {
-    if ($individual) {
+if ( $pay_individual || $writeoff_individual ) {
+    if ($pay_individual) {
         $template->param( pay_individual => 1 );
-    } elsif ($writeoff) {
+    } elsif ($writeoff_individual) {
         $template->param( writeoff_individual => 1 );
     }
     my $accounttype       = $input->param('accounttype');
@@ -118,7 +119,7 @@ if ( $total_paid and $total_paid ne '0.00' ) {
                 token  => scalar $input->param('csrf_token'),
             });
 
-        if ($individual) {
+        if ($pay_individual) {
             my $line = Koha::Account::Lines->find($accountlines_id);
             Koha::Account->new( { patron_id => $borrowernumber } )->pay(
                 {
-- 
2.39.2