[Bug 26023] New: Incorrect permissions handling for cashup actions on the library level registers summary page
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Bug ID: 26023 Summary: Incorrect permissions handling for cashup actions on the library level registers summary page Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Fines and fees Assignee: koha-bugs@lists.koha-community.org Reporter: martin.renvoize@ptfs-europe.com QA Contact: testopia@bugs.koha-community.org The cashup action is available via the registers page, which summarises a libraries takings for all registers and is available to users with the 'refund' OR 'cashup' permission. Users without the 'cashup' permission should not be able to take the cashup action. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |major -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |26017 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26017 [Bug 26017] Cashup registers never shows on tools page -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #1 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 107081 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107081&action=edit Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de, | |sally.healey@cheshireshared | |services.gov.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #2 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Test Plan 1/ Setup some cash registers 2/ Login as a user with just the 'refund' permission 3/ Note that you can still access the 'Cashup registers' page from either 'Tools' or the left menu that appears on Point of Sale pages. 4/ Note that you do not see the 'Cashup' actions available 5/ Login as a user with the 'cashup' permission 6/ You should still be able to access the above page 7/ You should not see the cashup actions Bonus points 8/ Without the 'cashup' permission attempt to 'POST' a cashup action (copy a the URL for a cashup action that appears when you were logged in as a user with correction permissions, and paste it into the address bar once you are logged in as a user without the permission 9/ You should be displayed with the registers page with an error message appearing to state that the cashup action was not allowed to take place due to permissions deficiencies. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |13985 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13985 [Bug 13985] Cash Management - Koha as 'Point of Sale' -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #107081|0 |1 is obsolete| | --- Comment #3 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 107082 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107082&action=edit Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #107082|0 |1 is obsolete| | --- Comment #4 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 107767 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107767&action=edit Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #5 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 107768 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107768&action=edit Bug 26023: Properly secure the cashup and refund actions The cash register summary page for cash management is available for users with the 'anonymous_refund' or 'cashup' permission and the actions available are appropriately displayed. However, the actions are not yet correctly tested for at the server and so a user may force submit to accomplish the action. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |martin.renvoize@ptfs-europe |ity.org |.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@bugs.koha-c | |ommunity.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #107767|0 |1 is obsolete| | Attachment #107768|0 |1 is obsolete| | --- Comment #6 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 108171 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108171&action=edit Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #7 from Nick Clemens <nick@bywatersolutions.com> --- Created attachment 108172 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108172&action=edit Bug 26023: Properly secure the cashup and refund actions The cash register summary page for cash management is available for users with the 'anonymous_refund' or 'cashup' permission and the actions available are appropriately displayed. However, the actions are not yet correctly tested for at the server and so a user may force submit to accomplish the action. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |katrin.fischer@bsz-bw.de |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #8 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Martin Renvoize from comment #2)
Test Plan 1/ Setup some cash registers 2/ Login as a user with just the 'refund' permission 3/ Note that you can still access the 'Cashup registers' page from either 'Tools' or the left menu that appears on Point of Sale pages. 4/ Note that you do not see the 'Cashup' actions available 5/ Login as a user with the 'cashup' permission 6/ You should still be able to access the above page 7/ You should not see the cashup actions Bonus points 8/ Without the 'cashup' permission attempt to 'POST' a cashup action (copy a the URL for a cashup action that appears when you were logged in as a user with correction permissions, and paste it into the address bar once you are logged in as a user without the permission 9/ You should be displayed with the registers page with an error message appearing to state that the cashup action was not allowed to take place due to permissions deficiencies.
I have a bit of trouble following the test plan here: 1-4) My user has catalog and refund permissions. With the patch applied, this prevents me from accessing: http://localhost:8081/cgi-bin/koha/pos/registers.pl 5-7) If the user has cashup permission, should they not be able to see the cashup actions? (typo) So I cannot check for the actions not showing. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|katrin.fischer@bsz-bw.de |testopia@bugs.koha-communit | |y.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #9 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- (In reply to Katrin Fischer from comment #8)
(In reply to Martin Renvoize from comment #2)
Test Plan 1/ Setup some cash registers 2/ Login as a user with just the 'refund' permission
Oops.. this should have been 'anonymous_refund'.. i.e. the subpermission in cash_management rather than the subpermission of accounts.. my apologies.
I have a bit of trouble following the test plan here:
1-4) My user has catalog and refund permissions. With the patch applied, this prevents me from accessing: http://localhost:8081/cgi-bin/koha/pos/registers.pl
See above: However I do wonder if at some point the availability of this page may need/want to fall outside of the cash_management permissions or have it's own permission associated with it (one for another bug however, once I understand the possible use case) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I think we might still want to some refinements, for example having "cash register" on admin and on tools, but not being the same thing is a little confusing. But that's out of scope here and this improves things. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA Patch complexity|--- |Small patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #108171|0 |1 is obsolete| | --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 108772 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108772&action=edit Bug 26023: Properly secure the cashup action for libraries The libraries summary page for cash management is available for users wit the 'anonymous_refund' permission to allow them to navigate to alternate cash registers and search for the prior transaction to refund. However, currently the cashup option appears, and is not blocked at the server, for all user who may access the page. It should be blocked for those users without the 'cashup' permission. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #108172|0 |1 is obsolete| | --- Comment #12 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 108773 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108773&action=edit Bug 26023: Properly secure the cashup and refund actions The cash register summary page for cash management is available for users with the 'anonymous_refund' or 'cashup' permission and the actions available are appropriately displayed. However, the actions are not yet correctly tested for at the server and so a user may force submit to accomplish the action. Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #13 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Martin, I think we should use "blocking errors" way for that kind of error. At the top of the script we can have output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) if $op eq 'cashup' && not $logged_in_user->has_permission( { cash_management => 'cashup' } ) Not enough to block the push however. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to master Version(s)| |20.11.00 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 --- Comment #14 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Pushed to master for 20.11, thanks to everybody involved! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023 Aleisha Amohia <aleisha@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aleisha@catalyst.net.nz Status|Pushed to master |Pushed to stable Version(s)|20.11.00 |20.11.00, 20.05.04 released in| | --- Comment #15 from Aleisha Amohia <aleisha@catalyst.net.nz> --- backported to 20.05.x for 20.05.04 (comment for Lucas) missing dependencies, not backported to 19.11.x -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org