From 7f50439cb2cf7d9a6d84e49eaf1cd8330b0995f0 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 22 Nov 2021 15:29:58 +0100 Subject: [PATCH] Bug 29541: Restrict access to patron's image to borrowers => * and circulate => * The patron images is displayed on the 'circulation' and 'members' modules. Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Fridolin Somers --- members/patronimage.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/members/patronimage.pl b/members/patronimage.pl index da62b87553..c4a6e5eb40 100755 --- a/members/patronimage.pl +++ b/members/patronimage.pl @@ -47,7 +47,7 @@ This script, when called from within HTML and passed a valid patron borrowernumb =cut -my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } ); +my ($status, $cookie, $sessionID) = check_api_auth($query, [ { borrowers => '*' }, { circulate => '*' } ] ); unless ( $status eq 'ok' ) { print $query->header(-type => 'text/plain', -status => '403 Forbidden'); -- 2.39.5