Bug 26023: Properly secure the cashup and refund actions

The cash register summary page for cash management is available for users
with the 'anonymous_refund' or 'cashup' permission and the actions available
are appropriately displayed.

However, the actions are not yet correctly tested for at the server and
so a user may force submit to accomplish the action.

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt
index f995580..6970d1d 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/pos/register.tt
@@ -36,6 +36,18 @@
                 </div>
             [% ELSE %]
 
+            [% IF ( error_cashup_permission ) %]
+            <div id="error_message" class="dialog alert">
+                You do not have permission to perform cashup actions.
+            </div>
+            [% END %]
+
+            [% IF ( error_refund_permission ) %]
+            <div id="error_message" class="dialog alert">
+                You do not have permission to perform refund actions.
+            </div>
+            [% END %]
+
             [% IF ( CAN_user_cash_management_cashup ) %]
             <div id="toolbar" class="btn-toolbar">
                 <button id="pos_cashup" type="button" class="btn btn-default" data-toggle="modal" data-target="#confirmCashupModal" ><i class="fa fa-money"></i> Record cashup</button>

diff --git a/pos/register.pl b/pos/register.pl
index ada83c4..e73f3c1 100755 (executable)
--- a/pos/register.pl
+++ b/pos/register.pl
@@ -102,45 +102,55 @@ else {
 
     my $op = $input->param('op') // '';
     if ( $op eq 'cashup' ) {
-        $cash_register->add_cashup(
-            {
-                manager_id => $logged_in_user->id,
-                amount     => $cash_register->outstanding_accountlines->total
-            }
-        );
+        if ( $logged_in_user->has_permission( { cash_management => 'cashup' } ) ) {
+            $cash_register->add_cashup(
+                {
+                    manager_id => $logged_in_user->id,
+                    amount     => $cash_register->outstanding_accountlines->total
+                }
+            );
+        }
+        else {
+            $template->param( error_cashup_permission => 1 );
+        }
     }
     elsif ( $op eq 'refund' ) {
-        my $amount           = $input->param('amount');
-        my $quantity         = $input->param('quantity');
-        my $accountline_id   = $input->param('accountline');
-        my $transaction_type = $input->param('transaction_type');
-
-        my $accountline = Koha::Account::Lines->find($accountline_id);
-        $schema->txn_do(
-            sub {
-
-                my $refund = $accountline->reduce(
-                    {
-                        reduction_type => 'Refund',
-                        branch         => $library_id,
-                        staff_id       => $logged_in_user->id,
-                        interface      => 'intranet',
-                        amount         => $amount
-                    }
-                );
-                my $payout = $refund->payout(
-                    {
-                        payout_type   => $transaction_type,
-                        branch        => $library_id,
-                        staff_id      => $logged_in_user->id,
-                        cash_register => $cash_register->id,
-                        interface     => 'intranet',
-                        amount        => $amount
-                    }
-                );
+        if ( $logged_in_user->has_permission( { cash_management => 'anonymous_refund' } ) ) {
+            my $amount           = $input->param('amount');
+            my $quantity         = $input->param('quantity');
+            my $accountline_id   = $input->param('accountline');
+            my $transaction_type = $input->param('transaction_type');
+
+            my $accountline = Koha::Account::Lines->find($accountline_id);
+            $schema->txn_do(
+                sub {
+
+                    my $refund = $accountline->reduce(
+                        {
+                            reduction_type => 'Refund',
+                            branch         => $library_id,
+                            staff_id       => $logged_in_user->id,
+                            interface      => 'intranet',
+                            amount         => $amount
+                        }
+                    );
+                    my $payout = $refund->payout(
+                        {
+                            payout_type   => $transaction_type,
+                            branch        => $library_id,
+                            staff_id      => $logged_in_user->id,
+                            cash_register => $cash_register->id,
+                            interface     => 'intranet',
+                            amount        => $amount
+                        }
+                    );
 
-            }
-        );
+                }
+            );
+        }
+        else {
+            $template->param( error_refund_permission => 1 );
+        }
     }
 }