From 89cda847a1852a0b42b79f245af57ec4ae429bd3 Mon Sep 17 00:00:00 2001
From: Galen Charlton
Date: Tue, 9 Nov 2010 22:00:50 -0500
Subject: [PATCH] follow-up to reports permissions patch
* Enforce the requirement that the user must have the
create_reports permission in order to delete a saved report;
closes hole where unprivileged user could delete reports
by constructing a URL maliciously
* Added another tweak of the template - don't offer option
to create a new report if the user doesn't have permission.
Signed-off-by: Galen Charlton
Signed-off-by: Chris Cormack
---
.../prog/en/modules/reports/guided_reports_start.tmpl | 7 ++++++-
reports/guided_reports.pl | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
index 320c8512dc..c5868a0b44 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
@@ -134,7 +134,12 @@ canned reports and writing custom SQL reports.
-There are no saved reports. Build new?
+There are no saved reports.
+
+ Build new?
+
+
+
diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl
index f5139ddf78..4be4e79859 100755
--- a/reports/guided_reports.pl
+++ b/reports/guided_reports.pl
@@ -44,7 +44,7 @@ my $input = new CGI;
my $phase = $input->param('phase');
my $flagsrequired;
-if ( $phase eq 'Build new' ) {
+if ( $phase eq 'Build new' or $phase eq 'Delete Saved' ) {
$flagsrequired = 'create_reports';
}
elsif ( $phase eq 'Use saved' ) {
--
2.39.2