https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22724
--- Comment #13 from Hayley Mapley <hayleymap...@catalyst.net.nz> --- (In reply to Nick Clemens from comment #11) > Hi Hayley, > > We need a server side check here for the permissions. With these patches I > can inspect the element, add the write-off button to submit, and write off > the charge > > This is probably true for payments as well. This will prevent 90% of the > cases, but we should probably strictly enforce. > > You can git grep for haspermission to see some examples The second patch that I added enforced removal of the submit button if the staff user managed to find a way to get to paycollect.tt to confirm the payment/writeoff (either through constructing a url or adding the button somehow). If the user doesn't have the permissions, the button will not be there. Is this button you talked about adding manually to the page? If this isn't your concern, I will look into the server side check you mentioned Thanks for looking at it! -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/