This patch adds a step to verify that an operator has the writeoff
permission before allowing them to forgive overdue fines during
checkin, which was possible if the operator manually added an
"exemptfines" URL parameter.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
my $itemnumber;
my $barcode = $query->param('barcode');
my $exemptfine = $query->param('exemptfine');
my $itemnumber;
my $barcode = $query->param('barcode');
my $exemptfine = $query->param('exemptfine');
+if (
+ $exemptfine &&
+ !C4::Auth::haspermission(C4::Context->userenv->{'id'}, {'updatecharges' => 'writeoff'})
+) {
+ # silently prevent unauthorized operator from forgiving overdue
+ # fines by manually tweaking form parameters
+ undef $exemptfine;
+}
my $dropboxmode = $query->param('dropboxmode');
my $dotransfer = $query->param('dotransfer');
my $canceltransfer = $query->param('canceltransfer');
my $dropboxmode = $query->param('dropboxmode');
my $dotransfer = $query->param('dotransfer');
my $canceltransfer = $query->param('canceltransfer');