git.koha-community.org Git - koha.git/commit

Bug 35941: Limit club list to those from the logged in user

clubs-tab get the patron's id from the parameter. At the OPAC we must
use the one from the logged in user, to prevent leak to other users

Test plan:
Have 2 clubs: A, B
Enroll to A with patron borrowernumber=1
Enroll to B with patron borrowernumber=2
Log in with patron 1 and hit:
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1
=> OK
Now hit
http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2
=> oops

Apply this patch, try again.
The "borrowernumber" parameter is no longer used to fetch the club list.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>

author	Jonathan Druart <jonathan.druart@bugs.koha-community.org>
	Tue, 30 Jan 2024 13:53:03 +0000 (14:53 +0100)
committer	Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
	Wed, 27 Mar 2024 05:30:13 +0000 (05:30 +0000)
commit	bdd288e3c464683ede8b22e20b4359083ef81fd1
tree	e47a1c876400d1612c78ef57a1e6a75382427fd6	tree \| snapshot
parent	d7041a36cc62e739b5bdddffb2497337d9c5cdf3	commit \| diff

koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt		diff \| blob \| history
koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/enroll.tt		diff \| blob \| history
opac/clubs/clubs-tab.pl		diff \| blob \| history
opac/clubs/enroll.pl		diff \| blob \| history