Bug 17316: Do not display the list's name if the user does not have permission - OPAC

At the OPAC, if a user manipulate the URL to show a list (s)he is not
allowed to view, the list's name will be displayed anyway.

Test plan:
- Create a private list with user A
- Copy the op=view URL and access it with user B logged in
=> Without this patch, you will see the rss icon, the list's name and
the "add list" button
=> Without this patch, only the "unauthorized" box will be displayed

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Katrin Fischer  <katrin.fischer@bsz-bw.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This commit is contained in:
Jonathan Druart 2016-09-20 09:55:25 +01:00 committed by Kyle M Hall
parent e422de7b62
commit 31ca4849ef
2 changed files with 2 additions and 1 deletions

View file

@ -153,7 +153,7 @@
</div>
[% END %]
[% IF op == 'view' %]
[% IF shelf AND op == 'view' %]
<h3>
[% shelf.shelfname |html %]
<a href="[% OPACBaseURL %]/cgi-bin/koha/opac-shelves.pl?rss=1&amp;op=view&amp;shelfnumber=[% shelf.shelfnumber %]" class="rss-list-link noprint">

View file

@ -339,6 +339,7 @@ if ( $op eq 'view' ) {
}
} else {
push @messages, { type => 'error', code => 'unauthorized_on_view' };
undef $shelf;
}
} else {
push @messages, { type => 'error', code => 'does_not_exist' };