[Bug 26023] New: Incorrect permissions handling for cashup actions on the library level registers summary page

classic Classic list List threaded Threaded
31 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] New: Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

            Bug ID: 26023
           Summary: Incorrect permissions handling for cashup actions on
                    the library level registers summary page
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Fines and fees
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]

The cashup action is available via the registers page, which summarises a
libraries takings for all registers and is available to users with the 'refund'
OR 'cashup' permission.  Users without the 'cashup' permission should not be
able to take the cashup action.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |major

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |26017


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26017
[Bug 26017] Cashup registers never shows on tools page
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #1 from Martin Renvoize <[hidden email]> ---
Created attachment 107081
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107081&action=edit
Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |Needs Signoff

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email],
                   |                            |sally.healey@cheshireshared
                   |                            |services.gov.uk

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #2 from Martin Renvoize <[hidden email]> ---
Test Plan
1/ Setup some cash registers
2/ Login as a user with just the 'refund' permission
3/ Note that you can still access the 'Cashup registers' page from either
'Tools' or the left menu that appears on Point of Sale pages.
4/ Note that you do not see the 'Cashup' actions available
5/ Login as a user with the 'cashup' permission
6/ You should still be able to access the above page
7/ You should not see the cashup actions
Bonus points
8/ Without the 'cashup' permission attempt to 'POST' a cashup action (copy a
the URL for a cashup action that appears when you were logged in as a user with
correction permissions, and paste it into the address bar once you are logged
in as a user without the permission
9/ You should be displayed with the registers page with an error message
appearing to state that the cashup action was not allowed to take place due to
permissions deficiencies.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |13985


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13985
[Bug 13985] Cash Management - Koha as 'Point of Sale'
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #107081|0                           |1
        is obsolete|                            |

--- Comment #3 from Martin Renvoize <[hidden email]> ---
Created attachment 107082
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107082&action=edit
Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #107082|0                           |1
        is obsolete|                            |

--- Comment #4 from Martin Renvoize <[hidden email]> ---
Created attachment 107767
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107767&action=edit
Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #5 from Martin Renvoize <[hidden email]> ---
Created attachment 107768
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=107768&action=edit
Bug 26023: Properly secure the cashup and refund actions

The cash register summary page for cash management is available for users
with the 'anonymous_refund' or 'cashup' permission and the actions available
are appropriately displayed.

However, the actions are not yet correctly tested for at the server and
so a user may force submit to accomplish the action.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|[hidden email]-commun |martin.renvoize@ptfs-europe
                   |ity.org                     |.com

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]-c
                   |                            |ommunity.org

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Martin Renvoize <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Needs Signoff               |Signed Off

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Nick Clemens <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #107767|0                           |1
        is obsolete|                            |
 Attachment #107768|0                           |1
        is obsolete|                            |

--- Comment #6 from Nick Clemens <[hidden email]> ---
Created attachment 108171
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108171&action=edit
Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

Signed-off-by: Nick Clemens <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #7 from Nick Clemens <[hidden email]> ---
Created attachment 108172
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108172&action=edit
Bug 26023: Properly secure the cashup and refund actions

The cash register summary page for cash management is available for users
with the 'anonymous_refund' or 'cashup' permission and the actions available
are appropriately displayed.

However, the actions are not yet correctly tested for at the server and
so a user may force submit to accomplish the action.

Signed-off-by: Nick Clemens <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         QA Contact|[hidden email]-communit |[hidden email]
                   |y.org                       |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #8 from Katrin Fischer <[hidden email]> ---
(In reply to Martin Renvoize from comment #2)

> Test Plan
> 1/ Setup some cash registers
> 2/ Login as a user with just the 'refund' permission
> 3/ Note that you can still access the 'Cashup registers' page from either
> 'Tools' or the left menu that appears on Point of Sale pages.
> 4/ Note that you do not see the 'Cashup' actions available
> 5/ Login as a user with the 'cashup' permission
> 6/ You should still be able to access the above page
> 7/ You should not see the cashup actions
> Bonus points
> 8/ Without the 'cashup' permission attempt to 'POST' a cashup action (copy a
> the URL for a cashup action that appears when you were logged in as a user
> with correction permissions, and paste it into the address bar once you are
> logged in as a user without the permission
> 9/ You should be displayed with the registers page with an error message
> appearing to state that the cashup action was not allowed to take place due
> to permissions deficiencies.

I have a bit of trouble following the test plan here:

1-4)
My user has catalog and refund permissions.
With the patch applied, this prevents me from accessing:
http://localhost:8081/cgi-bin/koha/pos/registers.pl

5-7)
If the user has cashup permission, should they not be able to see the cashup
actions? (typo)

So I cannot check for the actions not showing.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         QA Contact|[hidden email]    |[hidden email]-communit
                   |                            |y.org

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #9 from Martin Renvoize <[hidden email]> ---
(In reply to Katrin Fischer from comment #8)
> (In reply to Martin Renvoize from comment #2)
> > Test Plan
> > 1/ Setup some cash registers
> > 2/ Login as a user with just the 'refund' permission

Oops.. this should have been 'anonymous_refund'.. i.e. the subpermission in
cash_management rather than the subpermission of accounts.. my apologies.

>
> I have a bit of trouble following the test plan here:
>
> 1-4)
> My user has catalog and refund permissions.
> With the patch applied, this prevents me from accessing:
> http://localhost:8081/cgi-bin/koha/pos/registers.pl

See above: However I do wonder if at some point the availability of this page
may need/want to fall outside of the cash_management permissions or have it's
own permission associated with it (one for another bug however, once I
understand the possible use case)

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #10 from Katrin Fischer <[hidden email]> ---
I think we might still want to some refinements, for example having "cash
register" on admin and on tools, but not being the same thing is a little
confusing. But that's out of scope here and this improves things.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Signed Off                  |Passed QA
   Patch complexity|---                         |Small patch

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #108171|0                           |1
        is obsolete|                            |

--- Comment #11 from Katrin Fischer <[hidden email]> ---
Created attachment 108772
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108772&action=edit
Bug 26023: Properly secure the cashup action for libraries

The libraries summary page for cash management is available for users
wit the 'anonymous_refund' permission to allow them to navigate to
alternate cash registers and search for the prior transaction to refund.

However, currently the cashup option appears, and is not blocked at the
server, for all user who may access the page. It should be blocked for
those users without the 'cashup' permission.

Signed-off-by: Nick Clemens <[hidden email]>

Signed-off-by: Katrin Fischer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Katrin Fischer <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #108172|0                           |1
        is obsolete|                            |

--- Comment #12 from Katrin Fischer <[hidden email]> ---
Created attachment 108773
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=108773&action=edit
Bug 26023: Properly secure the cashup and refund actions

The cash register summary page for cash management is available for users
with the 'anonymous_refund' or 'cashup' permission and the actions available
are appropriately displayed.

However, the actions are not yet correctly tested for at the server and
so a user may force submit to accomplish the action.

Signed-off-by: Nick Clemens <[hidden email]>

Signed-off-by: Katrin Fischer <[hidden email]>

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #13 from Jonathan Druart <[hidden email]> ---
Martin, I think we should use "blocking errors" way for that kind of error.

At the top of the script we can have

output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
  if $op eq 'cashup' && not $logged_in_user->has_permission( { cash_management
=> 'cashup' } )

Not enough to block the push however.

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

Jonathan Druart <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|Passed QA                   |Pushed to master
         Version(s)|                            |20.11.00
        released in|                            |

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023

--- Comment #14 from Jonathan Druart <[hidden email]> ---
Pushed to master for 20.11, thanks to everybody involved!

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
12