projects / koha.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch (parent: 19a7b49)
Bug 18898 - Some permissions for Reports can be bypassed
authorDavid Cook <dcook@prosentient.com.au>
Thu, 27 Jul 2017 01:58:28 +0000 (11:58 +1000)
committerJonathan Druart <jonathan.druart@bugs.koha-community.org>
Wed, 9 Aug 2017 19:51:41 +0000 (16:51 -0300)
If you manually visit the following links when you only have
permission to run reports, you'll still be able to access the ability
to create and edit reports:

/cgi-bin/koha/reports/guided_reports.pl?phase=Create%20report%20from%20SQL
/cgi-bin/koha/reports/guided_reports.pl?phase=Edit%20SQL

This patch ties these 2 unaccounted for phases to the create_reports
permission.

With patch, issue no longer can be reproduced.
Signed-off-by: Marc VĂ©ron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

reports/guided_reports.pl patch | blob | history

diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl
index b81e84f..bfd0a76 100755 (executable)
--- a/reports/guided_reports.pl
+++ b/reports/guided_reports.pl
@@ -53,7 +53,7 @@ my $usecache = Koha::Caches->get_instance->memcached_cache;
 
 my $phase = $input->param('phase') // '';
 my $flagsrequired;
-if ( $phase eq 'Build new' ) {
+if ( ( $phase eq 'Build new' ) || ( $phase eq 'Create report from SQL' ) || ( $phase eq 'Edit SQL' ) ){
     $flagsrequired = 'create_reports';
 }
 elsif ( $phase eq 'Use saved' ) {
Mirror of git://git.koha-community.org/koha.git