* Enforce the requirement that the user must have the
create_reports permission in order to delete a saved report;
closes hole where unprivileged user could delete reports
by constructing a URL maliciously
* Added another tweak of the template - don't offer option
to create a new report if the user doesn't have permission.
Signed-off-by: Galen Charlton <gmcharlt@gmail.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
<!-- /TMPL_LOOP -->
</table>
</form>
-<!-- TMPL_ELSE --><h4>There are no saved reports. <a href="/cgi-bin/koha/reports/guided_reports.pl?phase=Build%20new">Build new?</a></h4><!-- /TMPL_IF -->
+<!-- TMPL_ELSE --><h4>There are no saved reports.
+ <!-- TMPL_IF name="CAN_user_reports_create_reports" -->
+ <a href="/cgi-bin/koha/reports/guided_reports.pl?phase=Build%20new">Build new?</a>
+ <!-- /TMPL_IF -->
+</h4>
+<!-- /TMPL_IF -->
<!-- /TMPL_IF -->
my $phase = $input->param('phase');
my $flagsrequired;
-if ( $phase eq 'Build new' ) {
+if ( $phase eq 'Build new' or $phase eq 'Delete Saved' ) {
$flagsrequired = 'create_reports';
}
elsif ( $phase eq 'Use saved' ) {