opac-article-request-cancel.pl doesn't check that the article request to
be cancelled actually belongs to the logged-in borrower. This results in
any logged-in user being able to cancel any article request just by
changing the id in the URL.
Test plan:
- Login with Patron P1, create an article request
- Cancel it
- Create another one
- Copy the cancellation link (must be /cgi-bin/koha/opac-article-request-cancel.pl?id=X)
- Login with Patron P2
- Hit the cancellation link
=> Without this patch the article request is cancelled
=> With this patch applied there is a 404 redirection
Note that the 404 will also appears when the article request id does not
exist.
Signed-off-by: Ere Maijala <ere.maijala@helsinki.fi>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
(cherry picked from commit
0b931d5de3c4fe9fa2b4823d9b8727b28a46aa7c)
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit
dc32211a8ea12e67453e5af9edaac0a73b52e2de)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
(cherry picked from commit
96a700c3dd0d4008c6c0250ac24c8c0c2e8b9dee)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
my $id = $query->param('id');
-if ( $id && $borrowernumber ) {
+if ( $id ) {
my $ar = Koha::ArticleRequests->find( $id );
- $ar->cancel() if $ar;
+ if ( !$ar || $ar->borrowernumber != $borrowernumber ) {
+ print $query->redirect("/cgi-bin/koha/errors/404.pl");
+ exit;
+ }
+
+ $ar->cancel();
}
print $query->redirect("/cgi-bin/koha/opac-user.pl#opac-user-article-requests");