From 4356e678f2254707c48a6f89658ed089a6b9e662 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Mon, 20 Jul 2020 09:44:05 +0100 Subject: [PATCH] Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Jonathan Druart --- .../prog/en/modules/pos/registers.tt | 20 ++++++++++++- pos/registers.pl | 29 +++++++++++-------- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt index 4e373fc104..65f593a1dc 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt @@ -32,9 +32,18 @@ [% END %] [% ELSE %] + + [% IF ( error_cashup_permission ) %] +
+ You do not have permission to perform cashup actions. +
+ [% END %] + + [% IF CAN_user_cash_management_cashup %]
+ [% END %]

Library transaction details for [% library.branchname | html %]

@@ -54,7 +63,9 @@ Bankable Income (cash) Outgoing (cash) + [% IF CAN_user_cash_management_cashup %] Actions + [% END %] [% SET bankable = 0, ctotal = 0, dtotal = 0, cctotal = 0, cdtotal = 0 %] @@ -88,9 +99,12 @@ [% rdtotal | $Price %] ([% rcdtotal | $Price %]) [% SET dtotal = dtotal + rdtotal %] [% SET cdtotal = cdtotal + rcdtotal %] + + [% IF CAN_user_cash_management_cashup %] + [% END %] [% END %] @@ -100,7 +114,11 @@ [% bankable | $Price %] [% ctotal | $Price %] ([% cctotal | $Price %]) [% dtotal | $Price %] ([% cdtotal | $Price %]) - + [% IF CAN_user_cash_management_cashup %] + + + + [% END %] diff --git a/pos/registers.pl b/pos/registers.pl index c2194a2417..44c81363fb 100755 --- a/pos/registers.pl +++ b/pos/registers.pl @@ -56,18 +56,10 @@ else { my $op = $input->param('op') // ''; if ( $op eq 'cashup' ) { - my $registerid = $input->param('registerid'); - if ($registerid) { - my $register = Koha::Cash::Registers->find( { id => $registerid } ); - $register->add_cashup( - { - manager_id => $logged_in_user->id, - amount => $register->outstanding_accountlines->total - } - ); - } - else { - for my $register ( $registers->as_list ) { + if ( $logged_in_user->has_permission( { cash_management => 'cashup' } ) ) { + my $registerid = $input->param('registerid'); + if ($registerid) { + my $register = Koha::Cash::Registers->find( { id => $registerid } ); $register->add_cashup( { manager_id => $logged_in_user->id, @@ -75,6 +67,19 @@ if ( $op eq 'cashup' ) { } ); } + else { + for my $register ( $registers->as_list ) { + $register->add_cashup( + { + manager_id => $logged_in_user->id, + amount => $register->outstanding_accountlines->total + } + ); + } + } + } + else { + $template->param( error_cashup_permission => 1 ); } } -- 2.39.5