From 4b71c9239708cd4d60190ed907fec03d1f8b08bc Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 27 Jul 2017 11:58:28 +1000 Subject: [PATCH] Bug 18898 - Some permissions for Reports can be bypassed MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If you manually visit the following links when you only have permission to run reports, you'll still be able to access the ability to create and edit reports: /cgi-bin/koha/reports/guided_reports.pl?phase=Create%20report%20from%20SQL /cgi-bin/koha/reports/guided_reports.pl?phase=Edit%20SQL This patch ties these 2 unaccounted for phases to the create_reports permission. With patch, issue no longer can be reproduced. Signed-off-by: Marc Véron Signed-off-by: Nick Clemens Signed-off-by: Jonathan Druart (cherry picked from commit 2fdfbaf0ddbf214c0efb9a3a3c2595a54517f795) Signed-off-by: Fridolin Somers --- reports/guided_reports.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl index b81e84f321..bfd0a7646b 100755 --- a/reports/guided_reports.pl +++ b/reports/guided_reports.pl @@ -53,7 +53,7 @@ my $usecache = Koha::Caches->get_instance->memcached_cache; my $phase = $input->param('phase') // ''; my $flagsrequired; -if ( $phase eq 'Build new' ) { +if ( ( $phase eq 'Build new' ) || ( $phase eq 'Create report from SQL' ) || ( $phase eq 'Edit SQL' ) ){ $flagsrequired = 'create_reports'; } elsif ( $phase eq 'Use saved' ) { -- 2.39.5