Bug 29903: Prevent messages to be deleted from unauthorised users
The "Delete" link is hidden but the controller does not do the necessary checks.
/cgi-bin/koha/circ/del_message.pl?message_id=1&borrowernumber=5&from=moremember
Test plan:
Create a message, see the "Delete" link, don't click it but copy it
Change logged in library and use the link
If AllowAllMessageDeletion is off you should be redirected to 403
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit
a2b9a76431a887aad7ebcee7b34fb921159271fd)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
projects / koha.git / commit