https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23415 --- Comment #149 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 188338 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=188338&action=edit Bug 23415: (QA follow-up) Fix critical logic and security issues This commit addresses several critical issues found in QA review: 1. Fixed critical logic bug in C4::Circulation::CanBookBeRenewed - Removed incorrect check of AllowFineOverrideRenewing preference - The function now always returns 'too_much_oweing' error when patron balance exceeds FineNoRenewals limit - AllowFineOverrideRenewing should only control UI override capability, not the core renewal check 2. Added permission check in circ/renew.pl - Override is now only allowed when both override_debt parameter is set AND AllowFineOverrideRenewing preference is enabled - Prevents security issue where staff could bypass the preference by crafting POST requests 3. Fixed template to conditionally display override button - Override button in renew.tt now only shows when AllowFineOverrideRenewing is enabled - Prevents confusion when override is not permitted 4. Added comprehensive test coverage - Tests verify CanBookBeRenewed behavior with AllowFineOverrideRenewing both enabled and disabled - Confirms error is always returned regardless of preference setting - Increased test count from 116 to 120 5. Fixed minor issues - Fixed typo: "he patron" -> "the patron" in checkouts.js - Fixed typo: OPACFineNoRenewalsIncludeCredit -> OPACFineNoRenewalsIncludeCredits in test All tests pass successfully. -- You are receiving this mail because: You are watching all bug changes.