From f620fbe0d9ec8c4df258dd3a35b839b466479d52 Mon Sep 17 00:00:00 2001 From: Fridolin Somers Date: Tue, 11 Oct 2016 10:00:56 +0200 Subject: [PATCH] Bug 17423 - patronimage.pl permission is too restrictive MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Bug 14566 added the permission "borrowers" on patronimage.pl. This perm is too restrictive because circulation pages also uses this page. I propose to simply use "catalogue" perm. Test plan - Set an image to borrower xx - Create a user with only catalogue permission - Log with this user - Go to page (replace xx by borrower number) : /cgi-bin/koha/members/patronimage.pl?borrowernumber=xx => Without patch you get the page saying you do not have the permission => With patch you get the image - Log out and retest the page patronimage.pl => You get 403 error Signed-off-by: remy Signed-off-by: Jonathan Druart Signed-off-by: Brendan Gallagher (cherry picked from commit e78f81d615a79ad293d599c7395efcabd267662d) Signed-off-by: Frédéric Demians --- members/patronimage.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/members/patronimage.pl b/members/patronimage.pl index b833978a13..f3534c3df4 100755 --- a/members/patronimage.pl +++ b/members/patronimage.pl @@ -48,7 +48,7 @@ This script, when called from within HTML and passed a valid patron borrowernumb =cut -my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} ); +my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } ); unless ( $status eq 'ok' ) { print $query->header(-type => 'text/plain', -status => '403 Forbidden'); -- 2.20.1