follow-up to reports permissions patch

* Enforce the requirement that the user must have the
  create_reports permission in order to delete a saved report;
  closes hole where unprivileged user could delete reports
  by constructing a URL maliciously
* Added another tweak of the template - don't offer option
  to create a new report if the user doesn't have permission.

Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
index 320c851..c5868a0 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/reports/guided_reports_start.tmpl
@@ -134,7 +134,12 @@ canned reports and writing custom SQL reports.</p>
 <!-- /TMPL_LOOP -->
 </table>
 </form>
-<!-- TMPL_ELSE --><h4>There are no saved reports. <a href="/cgi-bin/koha/reports/guided_reports.pl?phase=Build%20new">Build new?</a></h4><!-- /TMPL_IF -->
+<!-- TMPL_ELSE --><h4>There are no saved reports. 
+    <!-- TMPL_IF name="CAN_user_reports_create_reports" -->
+        <a href="/cgi-bin/koha/reports/guided_reports.pl?phase=Build%20new">Build new?</a>
+    <!-- /TMPL_IF -->
+</h4>
+<!-- /TMPL_IF -->
 <!-- /TMPL_IF -->
 
 

diff --git a/reports/guided_reports.pl b/reports/guided_reports.pl
index f5139dd..4be4e79 100755 (executable)
--- a/reports/guided_reports.pl
+++ b/reports/guided_reports.pl
@@ -44,7 +44,7 @@ my $input = new CGI;
 
 my $phase = $input->param('phase');
 my $flagsrequired;
-if ( $phase eq 'Build new' ) {
+if ( $phase eq 'Build new' or $phase eq 'Delete Saved' ) {
     $flagsrequired = 'create_reports';
 }
 elsif ( $phase eq 'Use saved' ) {