From 85489f7bdfe588301d87cc6d5313fe1be3b4e337 Mon Sep 17 00:00:00 2001 From: Mark Tompsett Date: Tue, 23 Sep 2014 10:12:12 -0400 Subject: [PATCH] Bug 643: QA Followup - server-side verification of permissions Only allow $force_allow=1 if the logged in user has permissions. TEST PLAN --------- Attempt to intentionally override the checkout by passing an appropriately handcrafted URL. -- Regardless of the force_allow value, it should be not allowed for those lacking the force_checkout permission. NOTE: I didn't test this. I figured Marc Veron could do that. :) (Sorry, couldn't easily get git bz to work with the accent) Signed-off-by: Nick Clemens Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi --- circ/circulation.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/circ/circulation.pl b/circ/circulation.pl index 131c8b097f..c920787a91 100755 --- a/circ/circulation.pl +++ b/circ/circulation.pl @@ -27,7 +27,7 @@ use warnings; use CGI; use C4::Output; use C4::Print; -use C4::Auth qw/:DEFAULT get_session/; +use C4::Auth qw/:DEFAULT get_session haspermission/; use C4::Dates qw/format_date/; use C4::Branch; # GetBranches use C4::Koha; # GetPrinter @@ -98,6 +98,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user ( my $branches = GetBranches(); my $force_allow_issue = $query->param('forceallow') || 0; +if (!C4::Auth::haspermission( C4::Context->userenv->{id} , { circulate => 'force_checkout' } )) { + $force_allow_issue = 0; +} my @failedrenews = $query->param('failedrenew'); # expected to be itemnumbers our %renew_failed = (); -- 2.39.5