Bug 35941: Limit club list to those from the logged in user
clubs-tab get the patron's id from the parameter. At the OPAC we must use the one from the logged in user, to prevent leak to other users Test plan: Have 2 clubs: A, B Enroll to A with patron borrowernumber=1 Enroll to B with patron borrowernumber=2 Log in with patron 1 and hit: http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1 => OK Now hit http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2 => oops Apply this patch, try again. The "borrowernumber" parameter is no longer used to fetch the club list. Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> (cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60) Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
This commit is contained in:
parent
c8eaa99e40
commit
17ed4acb17
4 changed files with 10 additions and 17 deletions
|
@ -58,7 +58,7 @@
|
|||
<td>[% c.name | html %]</td>
|
||||
<td>[% c.description | html %]</td>
|
||||
<td>
|
||||
[% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && borrower.first_valid_email_address ) %]
|
||||
[% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && patron.notice_email_address ) %]
|
||||
<button class="btn btn-sm btn-primary load_enrollment" data-id="[% c.id | html%]">
|
||||
<i class="fa fa-plus" aria-hidden="true"></i> Enroll
|
||||
</button>
|
||||
|
@ -76,7 +76,7 @@
|
|||
<script>
|
||||
function loadEnrollmentForm( id ) {
|
||||
$("body").css("cursor", "progress");
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/enroll.pl?borrowernumber=[% borrower.borrowernumber | html %]&id=' + id, function() {
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/enroll.pl?borrowernumber=[% patron.borrowernumber | html %]&id=' + id, function() {
|
||||
$("body").css("cursor", "default");
|
||||
});
|
||||
|
||||
|
@ -91,7 +91,7 @@ function cancelEnrollment( id ) {
|
|||
data: { id: id },
|
||||
success: function( data ) {
|
||||
if ( data.success ) {
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% borrower.borrowernumber | html %]', function() {
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% patron.borrowernumber | html %]', function() {
|
||||
$("body").css("cursor", "default");
|
||||
});
|
||||
} else {
|
||||
|
|
|
@ -8,7 +8,6 @@
|
|||
<form id="patron-enrollment-form">
|
||||
<legend class="sr-only">Enrollment</legend>
|
||||
<input type="hidden" name="id" value="[% club.id | html %]" />
|
||||
<input type="hidden" name="borrowernumber" value="[% borrowernumber | html %]" />
|
||||
<fieldset class="rows">
|
||||
<ol>
|
||||
[% FOREACH f IN club.club_template.club_template_enrollment_fields %]
|
||||
|
@ -44,7 +43,7 @@ function addEnrollment() {
|
|||
data: $( "#patron-enrollment-form" ).serialize(),
|
||||
success: function( data ) {
|
||||
if ( data.success ) {
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=[% borrowernumber | html %]&id=[% club.id | html %]', function() {
|
||||
$('#opac-user-clubs').load('/cgi-bin/koha/clubs/clubs-tab.pl?id=[% club.id | html %]', function() {
|
||||
$("body").css("cursor", "default");
|
||||
});
|
||||
} else {
|
||||
|
|
|
@ -35,17 +35,15 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
|
|||
}
|
||||
);
|
||||
|
||||
my $borrowernumber = $cgi->param('borrowernumber');
|
||||
my $patron = Koha::Patrons->find( $loggedinuser );
|
||||
|
||||
my $borrower = Koha::Patrons->find($borrowernumber);
|
||||
|
||||
my @enrollments = $borrower->get_club_enrollments->as_list;
|
||||
my @clubs = $borrower->get_enrollable_clubs( my $opac = 1 )->as_list;
|
||||
my @enrollments = $patron->get_club_enrollments->as_list;
|
||||
my @clubs = $patron->get_enrollable_clubs( my $opac = 1 )->as_list;
|
||||
|
||||
$template->param(
|
||||
enrollments => \@enrollments,
|
||||
clubs => \@clubs,
|
||||
borrower => $borrower,
|
||||
patron => $patron,
|
||||
);
|
||||
|
||||
output_html_with_http_headers( $cgi, $cookie, $template->output, undef, { force_no_caching => 1 } );
|
||||
|
|
|
@ -36,13 +36,9 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
|
|||
);
|
||||
|
||||
my $id = $cgi->param('id');
|
||||
my $borrowernumber = $cgi->param('borrowernumber');
|
||||
|
||||
my $club = Koha::Clubs->find($id);
|
||||
|
||||
$template->param(
|
||||
club => $club,
|
||||
borrowernumber => $borrowernumber,
|
||||
club => Koha::Clubs->find($id),
|
||||
);
|
||||
|
||||
output_html_with_http_headers( $cgi, $cookie, $template->output, undef, { force_no_caching => 1 } );
|
||||
|
|
Loading…
Reference in a new issue