From 0bb3edf936b6813dbbe1c12cac792ccc90d7f965 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Wed, 5 Jan 2022 15:56:24 +0100
Subject: [PATCH] Bug 29542: Prevent access to private list to non authorized
 users

The catalogue permission is not enough.

Test plan:
Create a private list owned by user A
Login with user B and hit (with XX the shelfid)
  /cgi-bin/koha/virtualshelves/sendshelf.pl?shelfid=XX

You should get an error message "You do not have sufficient permission
to continue."

Login with user A
=> You should be able to send the list

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 6ca49b550e54a0f1729c5d23838256a0e4542f91)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
---
 .../prog/en/modules/virtualshelves/sendshelfform.tt       | 1 +
 virtualshelves/sendshelf.pl                               | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt
index ec399270bf..3325ef4330 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/virtualshelves/sendshelfform.tt
@@ -2,6 +2,7 @@
 [% INCLUDE 'doc-head-close.inc' %]
 </head>
 <body id="lists_sendshelfform" class="lists" style="padding: 1em;">
+[% INCLUDE 'blocking_errors.inc' %]
 <div class="container">[% IF ( email ) %]
 
     [% IF ( SENT ) %]
diff --git a/virtualshelves/sendshelf.pl b/virtualshelves/sendshelf.pl
index f15e2c9f64..2bfc49b339 100755
--- a/virtualshelves/sendshelf.pl
+++ b/virtualshelves/sendshelf.pl
@@ -33,7 +33,7 @@ use Koha::Virtualshelves;
 
 my $query = CGI->new;
 
-my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
+my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
     {
         template_name   => "virtualshelves/sendshelfform.tt",
         query           => $query,
@@ -45,7 +45,10 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
 my $shelfid    = $query->param('shelfid');
 my $to_address = $query->param('email');
 
-my $dbh = C4::Context->dbh;
+my $shelf = Koha::Virtualshelves->find( $shelfid );
+
+output_and_exit( $query, $cookie, $template, 'insufficient_permission' )
+    if $shelf && !$shelf->can_be_viewed( $loggedinuser );
 
 if ($to_address) {
     my $comment = $query->param('comment');
@@ -59,7 +62,6 @@ if ($to_address) {
         }
     );
 
-    my $shelf = Koha::Virtualshelves->find( $shelfid );
     my $contents = $shelf->get_contents;
     my $marcflavour = C4::Context->preference('marcflavour');
     my $iso2709;
-- 
2.39.5