From 2e7bbc6457c099c50ca31b35c52a1232f062a9a4 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 6 Dec 2021 13:58:25 +0100 Subject: [PATCH] Bug 29541: Prevent users from another group to access patron's images We should respect group restrictions here. Test plan: Create a patron from another group of libraries and don't let them access info from patrons outside of this group. Access the following link and confirm that you can see the image only for patrons from their group /cgi-bin/koha/members/patronimage.pl?borrowernumber=XX Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Victor Grousset/tuxayo --- members/patronimage.pl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/members/patronimage.pl b/members/patronimage.pl index c2c3a093c6..81f5225cd6 100755 --- a/members/patronimage.pl +++ b/members/patronimage.pl @@ -25,8 +25,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); use C4::Auth qw( check_api_auth ); use C4::Context; -use C4::Members; -use Koha::Patron::Images; +use Koha::Patrons; $|=1; @@ -55,8 +54,6 @@ unless ( $status eq 'ok' ) { exit 0; } - - if ($query->param('borrowernumber')) { $borrowernumber = $query->param('borrowernumber'); } else { @@ -64,9 +61,18 @@ if ($query->param('borrowernumber')) { } -warn "Borrowernumber passed in: $borrowernumber" if $DEBUG; + warn "Borrowernumber passed in: $borrowernumber" if $DEBUG; + +my $patron = Koha::Patrons->find( $borrowernumber ); +my $userenv = C4::Context->userenv; +my $logged_in_user = Koha::Patrons->find( $userenv->{number} ); + +unless ( $logged_in_user->can_see_patron_infos( $patron ) ) { + print $query->header(-type => 'text/plain', -status => '403 Forbidden'); + exit 0; +} -my $patron_image = Koha::Patron::Images->find($borrowernumber); +my $patron_image = $patron->image; # NOTE: Never dump the contents of $imagedata->{'patronimage'} via a warn to a log or nasty # things will result... you have been warned! -- 2.39.5