https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41819
--- Comment #9 from Martin Renvoize (ashimema) <[email protected]> --- Created attachment 198755 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198755&action=edit Bug 41819: (follow-up) Reject 'AC' refunds for anonymous transactions server-side The previous patch hides the 'Account credit' option in the refund modal when the accountline has no borrowernumber, but that is a UI convenience only. A crafted POST (or a stale page) could still submit refund_type=AC against an anonymous accountline, which would create a REFUND credit with no patron to attach it to and leave the register unbalanced because the payout branch is skipped. Add a server-side guard in pos/register.pl that refuses the operation and surfaces a new error_refund_anonymous_ac flag, rendered in pos/register.tt in the same style as the other refund errors. Test plan: 1. Apply the patch 2. Log in as a user with cash_management/anonymous_refund permission 3. Record an anonymous sale against a register 4. Using the browser devtools (or curl), POST to pos/register.pl with op=cud-refund, refund_type=AC and the accountline id of the sale 5. => Confirm the request is rejected and the "Account credit refunds are not available for anonymous transactions" message is shown 6. => Confirm no REFUND accountline was created and the register balance is unchanged 7. Repeat the POST with refund_type=CASH (or any non-AC type) and confirm the refund + payout are created normally -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
