use CGI qw ( -utf8 );
-use C4::Auth;
-use Koha::DateUtils;
-use Koha::Patron::Debarments;
+use C4::Auth qw( checkauth );
+use Koha::DateUtils qw( dt_from_string );
+use Koha::Patron::Debarments qw( AddDebarment DelDebarment );
-my $cgi = new CGI;
+my $cgi = CGI->new;
-my ( $loggedinuser, $cookie, $sessionID ) = checkauth( $cgi, 0, { borrowers => 1 }, 'intranet' );
+my ( $loggedinuserid, $cookie, $sessionID ) = checkauth( $cgi, 0, { borrowers => 'edit_borrowers' }, 'intranet' );
my $borrowernumber = $cgi->param('borrowernumber');
my $action = $cgi->param('action');
+my $logged_in_user = Koha::Patrons->find( { userid => $loggedinuserid } );
+my $patron = Koha::Patrons->find($borrowernumber);
+
+# Ideally we should display a warning on the interface if the patron is not allowed
+# to modify a debarment
+# But a librarian is not supposed to hack the system
+$action = '' unless $logged_in_user->can_see_patron_infos( $patron );
+
if ( $action eq 'del' ) {
DelDebarment( scalar $cgi->param('borrower_debarment_id') );
} elsif ( $action eq 'add' ) {
my $expiration = $cgi->param('expiration');
+ my $type = $cgi->param('debarred_type') // 'MANUAL';
if ($expiration) {
$expiration = dt_from_string($expiration);
$expiration = $expiration->ymd();
AddDebarment(
{ borrowernumber => $borrowernumber,
- type => 'MANUAL',
+ type => $type,
comment => scalar $cgi->param('comment'),
expiration => $expiration,
}