Bug 14566: Fix permissions in patronimage.pl
There is no permission needed to access the patronimage.pl script. This means anybody cans access to the patron's images. Test plan: Add an image to borrowernumber 42 and call /cgi-bin/koha/members/patronimage.pl?borrowernumber=42 If you are logged in with borrowers permissions, you will see the image, otherwise you will get a blank page with a 403 header. Signed-off-by: Indranil Das Gupta (L2C2 Technologies) <indradg@gmail.com> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Tomas Cohen Arazi <tomascohen@unc.edu.ar>
This commit is contained in:
parent
16f382e7ec
commit
b35dd15a4a
1 changed files with 16 additions and 7 deletions
|
@ -20,17 +20,17 @@
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
|
||||||
use strict;
|
use Modern::Perl;
|
||||||
use warnings;
|
|
||||||
|
|
||||||
use CGI qw ( -utf8 ); #qw(:standard escapeHTML);
|
use CGI qw ( -utf8 );
|
||||||
|
use C4::Auth qw( check_api_auth );
|
||||||
use C4::Context;
|
use C4::Context;
|
||||||
use C4::Members;
|
use C4::Members;
|
||||||
|
|
||||||
$|=1;
|
$|=1;
|
||||||
|
|
||||||
my $DEBUG = 0;
|
my $DEBUG = 0;
|
||||||
my $data = new CGI;
|
my $query = new CGI;
|
||||||
my $borrowernumber;
|
my $borrowernumber;
|
||||||
|
|
||||||
=head1 NAME
|
=head1 NAME
|
||||||
|
@ -47,8 +47,17 @@ This script, when called from within HTML and passed a valid patron borrowernumb
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
if ($data->param('borrowernumber')) {
|
my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} );
|
||||||
$borrowernumber = $data->param('borrowernumber');
|
|
||||||
|
unless ( $status eq 'ok' ) {
|
||||||
|
print $query->header(-type => 'text/plain', -status => '403 Forbidden');
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if ($query->param('borrowernumber')) {
|
||||||
|
$borrowernumber = $query->param('borrowernumber');
|
||||||
} else {
|
} else {
|
||||||
$borrowernumber = shift;
|
$borrowernumber = shift;
|
||||||
}
|
}
|
||||||
|
@ -67,7 +76,7 @@ if ($dberror) {
|
||||||
# things will result... you have been warned!
|
# things will result... you have been warned!
|
||||||
|
|
||||||
if ($imagedata) {
|
if ($imagedata) {
|
||||||
print $data->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
|
print $query->header (-type => $imagedata->{'mimetype'}, -'Cache-Control' => 'no-store', -Content_Length => length ($imagedata->{'imagefile'})), $imagedata->{'imagefile'};
|
||||||
exit;
|
exit;
|
||||||
} else {
|
} else {
|
||||||
warn "No image exists for $borrowernumber";
|
warn "No image exists for $borrowernumber";
|
||||||
|
|
Loading…
Reference in a new issue