Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt
index 4e373fc..65f593a 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/registers.tt
@@ -32,9 +32,18 @@
                             [% END %]
                         </div>
                     [% ELSE %]
+
+                    [% IF ( error_cashup_permission ) %]
+                    <div id="error_message" class="dialog alert">
+                        You do not have permission to perform cashup actions.
+                    </div>
+                    [% END %]
+
+                    [% IF CAN_user_cash_management_cashup %]
                     <div id="toolbar" class="btn-toolbar">
                         <button type="button" class="cashup_all btn btn-default" data-toggle="modal" data-target="#confirmCashupAllModal"><i class="fa fa-money"></i> Cashup all</button>
                     </div>
+                    [% END %]
 
                     <h1>Library transaction details for [% library.branchname | html %]</h1>
 
@@ -54,7 +63,9 @@
                             <th>Bankable</th>
                             <th>Income (cash)</th>
                             <th>Outgoing (cash)</th>
+                            [% IF CAN_user_cash_management_cashup %]
                             <th>Actions</th>
+                            [% END %]
                         </thead>
                         <tbody>
                             [% SET bankable = 0, ctotal = 0, dtotal = 0, cctotal = 0, cdtotal = 0 %]
@@ -88,9 +99,12 @@
                                     [% rdtotal | $Price %] ([% rcdtotal | $Price %])
                                     [% SET dtotal = dtotal + rdtotal %]
                                     [% SET cdtotal = cdtotal + rcdtotal %]
+                                </td>
+                                [% IF CAN_user_cash_management_cashup %]
                                 <td>
                                     <button type="button" class="cashup_individual btn btn-default" data-toggle="modal" data-target="#confirmCashupModal" data-register="[% register.description | html %]" data-bankable="[% rbankable | $Price %]" data-float="[% register.starting_float | $Price %]" data-registerid="[% register.id | html %]"><i class="fa fa-money"></i> Record cashup</button>
                                 </td>
+                                [% END %]
                             </tr>
                             [% END %]
                         </tbody>
@@ -100,7 +114,11 @@
                                 <td>[% bankable | $Price %]</td>
                                 <td>[% ctotal | $Price %] ([% cctotal | $Price %])</td>
                                 <td>[% dtotal | $Price %] ([% cdtotal | $Price %])</td>
-                                <td><button type="button" class="cashup_all btn btn-default" data-toggle="modal" data-target="#confirmCashupAllModal"><i class="fa fa-money"></i> Cashup all</button></td>
+                                [% IF CAN_user_cash_management_cashup %]
+                                <td>
+                                    <button type="button" class="cashup_all btn btn-default" data-toggle="modal" data-target="#confirmCashupAllModal"><i class="fa fa-money"></i> Cashup all</button>
+                                </td>
+                                [% END %]
                             </tr>
                         </tfoot>
                     </table>

diff --git a/pos/registers.pl b/pos/registers.pl
index c2194a2..44c8136 100755 (executable)
--- a/pos/registers.pl
+++ b/pos/registers.pl
@@ -56,18 +56,10 @@ else {
 
 my $op = $input->param('op') // '';
 if ( $op eq 'cashup' ) {
-    my $registerid = $input->param('registerid');
-    if ($registerid) {
-        my $register = Koha::Cash::Registers->find( { id => $registerid } );
-        $register->add_cashup(
-            {
-                manager_id => $logged_in_user->id,
-                amount     => $register->outstanding_accountlines->total
-            }
-        );
-    }
-    else {
-        for my $register ( $registers->as_list ) {
+    if ( $logged_in_user->has_permission( { cash_management => 'cashup' } ) ) {
+        my $registerid = $input->param('registerid');
+        if ($registerid) {
+            my $register = Koha::Cash::Registers->find( { id => $registerid } );
             $register->add_cashup(
                 {
                     manager_id => $logged_in_user->id,
@@ -75,6 +67,19 @@ if ( $op eq 'cashup' ) {
                 }
             );
         }
+        else {
+            for my $register ( $registers->as_list ) {
+                $register->add_cashup(
+                    {
+                        manager_id => $logged_in_user->id,
+                        amount     => $register->outstanding_accountlines->total
+                    }
+                );
+            }
+        }
+    }
+    else {
+        $template->param( error_cashup_permission => 1 );
     }
 }