[Koha-bugs] [Bug 22724] Staff without writeoff permissions have access to 'Write off selected' button on Pay Fines tab
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed May 15 00:38:10 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22724
--- Comment #13 from Hayley Mapley <hayleymapley at catalyst.net.nz> ---
(In reply to Nick Clemens from comment #11)
> Hi Hayley,
>
> We need a server side check here for the permissions. With these patches I
> can inspect the element, add the write-off button to submit, and write off
> the charge
>
> This is probably true for payments as well. This will prevent 90% of the
> cases, but we should probably strictly enforce.
>
> You can git grep for haspermission to see some examples
The second patch that I added enforced removal of the submit button if the
staff user managed to find a way to get to paycollect.tt to confirm the
payment/writeoff (either through constructing a url or adding the button
somehow). If the user doesn't have the permissions, the button will not be
there. Is this button you talked about adding manually to the page?
If this isn't your concern, I will look into the server side check you
mentioned
Thanks for looking at it!
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list