Bug 8706 - Private lists can be accessed by anyone

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Confirmed private lists can be accessed directly before patch is
applied. After applying patch, I can no longer access the list
via the same url.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>

C4/VirtualShelves.pm

@@ -464,7 +464,7 @@ sub ShelfPossibleAction {
     $sth->execute($user, $shelfnumber);
     my $shelf= $sth->fetchrow_hashref;
 
-    return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || $shelf->{borrowernumber}==$user);
+    return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || ($user && $shelf->{borrowernumber}==$user));
     if($action eq 'view') {
         #already handled in the above condition
         return 1;