From bc3f4d1c565a10330d87c067592a69fdd0d20620 Mon Sep 17 00:00:00 2001 From: Galen Charlton Date: Thu, 17 Apr 2014 16:09:40 +0000 Subject: [PATCH] Bug 9448: (follow-up) prevent unauthorized operator from bypassing check on forgiving overdue fines This patch adds a step to verify that an operator has the writeoff permission before allowing them to forgive overdue fines during checkin, which was possible if the operator manually added an "exemptfines" URL parameter. Signed-off-by: Galen Charlton --- circ/returns.pl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/circ/returns.pl b/circ/returns.pl index 93f36f2130..4abac2e7a1 100755 --- a/circ/returns.pl +++ b/circ/returns.pl @@ -172,6 +172,14 @@ my $issueinformation; my $itemnumber; my $barcode = $query->param('barcode'); my $exemptfine = $query->param('exemptfine'); +if ( + $exemptfine && + !C4::Auth::haspermission(C4::Context->userenv->{'id'}, {'updatecharges' => 'writeoff'}) +) { + # silently prevent unauthorized operator from forgiving overdue + # fines by manually tweaking form parameters + undef $exemptfine; +} my $dropboxmode = $query->param('dropboxmode'); my $dotransfer = $query->param('dotransfer'); my $canceltransfer = $query->param('canceltransfer'); -- 2.39.5