From 45007a58e23a1840b79b2d73ea21522d610ca9ce Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Thu, 4 Jul 2024 16:18:17 +0200 Subject: [PATCH] Bug 37247: Fix subscriptions operation allowed without authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Move close and reopen after get_template_and_user(). Also move Koha::Subscriptions->find(), not a good idea to run DB queries before authentication. Test plan : 1) Apply patch 2) Authenticate to staff interface 3) Go to an existing open subscription 4) Open a new browser tab and use it to log-out 5) Go to first tab and click on 'Close' 6) You get login page 7) Authenticate 8) Check subscription is not closed 9) Check you can close and reopen subscription Signed-off-by: Chris Cormack Signed-off-by: Martin Renvoize (cherry picked from commit 42c2dd78ef52ec00afd6307ef179c491615c7085) Signed-off-by: Frédéric Demians --- serials/subscription-detail.pl | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/serials/subscription-detail.pl b/serials/subscription-detail.pl index 2ae5cd3ef7..60c28fd9cc 100755 --- a/serials/subscription-detail.pl +++ b/serials/subscription-detail.pl @@ -34,17 +34,11 @@ use Carp qw( carp ); use Koha::SharedContent; my $query = CGI->new; -my $op = $query->param('op') || q{}; + +my $op = $query->param('op') || q{}; my $issueconfirmed = $query->param('issueconfirmed'); -my $dbh = C4::Context->dbh; my $subscriptionid = $query->param('subscriptionid'); -if ( $op and $op eq "close" ) { - C4::Serials::CloseSubscription( $subscriptionid ); -} elsif ( $op and $op eq "reopen" ) { - C4::Serials::ReopenSubscription( $subscriptionid ); -} - # the subscription must be deletable if there is NO issues for a reason or another (should not happened, but...) # Permission needed if it is a deletion (del) : delete_subscription @@ -68,7 +62,13 @@ $subs->{enddate} ||= GetExpirationDate($subscriptionid); my ($totalissues,@serialslist) = GetSerials($subscriptionid); $totalissues-- if $totalissues; # the -1 is to have 0 if this is a new subscription (only 1 issue) -if ($op eq 'del') { +my $subscription = Koha::Subscriptions->find( $subscriptionid ); + +if ( $op and $op eq "close" ) { + C4::Serials::CloseSubscription( $subscriptionid ); +} elsif ( $op and $op eq "reopen" ) { + C4::Serials::ReopenSubscription( $subscriptionid ); +} elsif ($op eq 'del') { if ($$subs{'cannotedit'}){ carp "Attempt to delete subscription $subscriptionid by ".C4::Context->userenv->{'id'}." not allowed"; print $query->redirect("/cgi-bin/koha/serials/subscription-detail.pl?subscriptionid=$subscriptionid"); @@ -93,8 +93,7 @@ if ($op eq 'del') { print $query->redirect("/cgi-bin/koha/serials/serials-home.pl"); exit; } -} -elsif ( $op and $op eq "share" ) { +} elsif ( $op eq "share" ) { my $mana_language = $query->param('mana_language'); my $result = Koha::SharedContent::send_entity($mana_language, $loggedinuser, $subscriptionid, 'subscription'); $template->param( mana_code => $result->{msg} ); -- 2.39.5