[Koha-bugs] [Bug 12873] Reserve can be cancelled by any logged in user
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Sep 4 17:15:07 CEST 2014
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=12873
--- Comment #3 from Jonathan Druart <jonathan.druart at biblibre.com> ---
Created attachment 31378
-->
http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=31378&action=edit
Bug 12873 - Reserve can be cancelled by any logged in user
It is possible to cancel reservations through simply running opac-modreserve.pl
with existing reserve_id number. This may provide remove even all reservations
from system. The only limitation is that user have to be logged in. Simplest
solution is to check whether reserve belongs to user or not.
Test plan:
1. Create reserves by 2 different users, and get their ID's
2. Before patch, hold may by cancelled by anyone who run site:
http://example.com/cgi-bin/koha/opac-modrequest.pl?reserve_id=XXX
3. After patch hold may by cancelled only by user whose reserve is.
Signed-off-by: Jonathan Druart <jonathan.druart at biblibre.com>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list