Bug 22068: Prevent patrons to cancel article request they did not create

opac-article-request-cancel.pl doesn't check that the article request to
be cancelled actually belongs to the logged-in borrower. This results in
any logged-in user being able to cancel any article request just by
changing the id in the URL.

Test plan:
- Login with Patron P1, create an article request
- Cancel it
- Create another one
- Copy the cancellation link (must be /cgi-bin/koha/opac-article-request-cancel.pl?id=X)
- Login with Patron P2
- Hit the cancellation link
=> Without this patch the article request is cancelled
=> With this patch applied there is a 404 redirection

Note that the 404 will also appears when the article request id does not
exist.

Signed-off-by: Ere Maijala <ere.maijala@helsinki.fi>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit 0b931d5de3c4fe9fa2b4823d9b8727b28a46aa7c)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit dc32211a8ea12e67453e5af9edaac0a73b52e2de)

Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>

diff --git a/opac/opac-article-request-cancel.pl b/opac/opac-article-request-cancel.pl
index baaa0ae..0305808 100755 (executable)
--- a/opac/opac-article-request-cancel.pl
+++ b/opac/opac-article-request-cancel.pl
@@ -39,9 +39,14 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
 
 my $id = $query->param('id');
 
-if ( $id && $borrowernumber ) {
+if ( $id ) {
     my $ar = Koha::ArticleRequests->find( $id );
-    $ar->cancel() if $ar;
+    if ( !$ar || $ar->borrowernumber != $borrowernumber ) {
+        print $query->redirect("/cgi-bin/koha/errors/404.pl");
+        exit;
+    }
+
+    $ar->cancel();
 }
 
 print $query->redirect("/cgi-bin/koha/opac-user.pl#opac-user-article-requests");