Bug 35941: Limit club list to those from the logged in user

clubs-tab get the patron's id from the parameter. At the OPAC we must use the one from the logged in user, to prevent leak to other users Test plan: Have 2 clubs: A, B Enroll to A with patron borrowernumber=1 Enroll to B with patron borrowernumber=2 Log in with patron 1 and hit: http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1 => OK Now hit http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2 => oops Apply this patch, try again. The "borrowernumber" parameter is no longer used to fetch the club list. Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> (cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
2024-01-30 14:53:03 +01:00 · 2024-01-30 14:53:03 +01:00 · 17ed4acb17
commit 17ed4acb17
parent c8eaa99e40
4 changed files with 10 additions and 17 deletions
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt
@ -58,7 +58,7 @@
                    <td>[% c.name | html %]</td>
                    <td>[% c.description | html %]</td>
                    <td>
-                        [% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && borrower.first_valid_email_address ) %]
+                        [% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && patron.notice_email_address ) %]
                            <button class="btn btn-sm btn-primary load_enrollment" data-id="[% c.id | html%]">
                                <i class="fa fa-plus" aria-hidden="true"></i> Enroll
                            </button>
@ -76,7 +76,7 @@
 <script>
 function loadEnrollmentForm( id ) {
    $("body").css("cursor", "progress");
-    $('#opac-user-clubs').load('/cgi-bin/koha/clubs/enroll.pl?borrowernumber=[% borrower.borrowernumber | html %]&id=' + id, function() {
+    $('#opac-user-clubs').load('/cgi-bin/koha/clubs/enroll.pl?borrowernumber=[% patron.borrowernumber | html %]&id=' + id, function() {
        $("body").css("cursor", "default");
    });

@ -91,7 +91,7 @@ function cancelEnrollment( id ) {
        data: { id: id },
        success: function( data ) {
            if ( data.success ) {
-                $('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% borrower.borrowernumber | html %]', function() {
+                $('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% patron.borrowernumber | html %]', function() {
                    $("body").css("cursor", "default");
                });
            } else {
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/enroll.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/enroll.tt
@ -8,7 +8,6 @@
    <form id="patron-enrollment-form">
        <legend class="sr-only">Enrollment</legend>
        <input type="hidden" name="id" value="[% club.id | html %]" />
-        <input type="hidden" name="borrowernumber" value="[% borrowernumber | html %]" />
        <fieldset class="rows">
            <ol>
                [% FOREACH f IN club.club_template.club_template_enrollment_fields %]
@ -44,7 +43,7 @@ function addEnrollment() {
        data: $( "#patron-enrollment-form" ).serialize(),
        success: function( data ) {
            if ( data.success ) {
-                $('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% borrowernumber | html %]&id=[% club.id | html %]', function() {
+                $('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?id=[% club.id | html %]', function() {
                    $("body").css("cursor", "default");
                });
            } else {
--- a/opac/clubs/clubs-tab.pl
+++ b/opac/clubs/clubs-tab.pl
@ -35,17 +35,15 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
    }
 );

-my $borrowernumber = $cgi->param('borrowernumber');
+my $patron = Koha::Patrons->find( $loggedinuser );

-my $borrower = Koha::Patrons->find($borrowernumber);
-
-my @enrollments = $borrower->get_club_enrollments->as_list;
-my @clubs = $borrower->get_enrollable_clubs( my $opac = 1 )->as_list;
+my @enrollments = $patron->get_club_enrollments->as_list;
+my @clubs = $patron->get_enrollable_clubs( my $opac = 1 )->as_list;

 $template->param(
    enrollments => \@enrollments,
    clubs       => \@clubs,
-    borrower    => $borrower,
+    patron      => $patron,
 );

 output_html_with_http_headers( $cgi, $cookie, $template->output, undef, { force_no_caching => 1 } );
--- a/opac/clubs/enroll.pl
+++ b/opac/clubs/enroll.pl
@ -35,14 +35,10 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
    }
 );

-my $id             = $cgi->param('id');
-my $borrowernumber = $cgi->param('borrowernumber');
-
-my $club = Koha::Clubs->find($id);
+my $id = $cgi->param('id');

 $template->param(
-    club           => $club,
-    borrowernumber => $borrowernumber,
+    club => Koha::Clubs->find($id),
 );

 output_html_with_http_headers( $cgi, $cookie, $template->output, undef, { force_no_caching => 1 } );