Bug 9448: (follow-up) prevent unauthorized operator from bypassing check on forgiving...

This patch adds a step to verify that an operator has the writeoff
permission before allowing them to forgive overdue fines during
checkin, which was possible if the operator manually added an
"exemptfines" URL parameter.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/circ/returns.pl b/circ/returns.pl
index 93f36f2..4abac2e 100755 (executable)
--- a/circ/returns.pl
+++ b/circ/returns.pl
@@ -172,6 +172,14 @@ my $issueinformation;
 my $itemnumber;
 my $barcode     = $query->param('barcode');
 my $exemptfine  = $query->param('exemptfine');
+if (
+  $exemptfine &&
+  !C4::Auth::haspermission(C4::Context->userenv->{'id'}, {'updatecharges' => 'writeoff'})
+) {
+    # silently prevent unauthorized operator from forgiving overdue
+    # fines by manually tweaking form parameters
+    undef $exemptfine;
+}
 my $dropboxmode = $query->param('dropboxmode');
 my $dotransfer  = $query->param('dotransfer');
 my $canceltransfer = $query->param('canceltransfer');