From 6ff6bcde0de58362e1086bd16b6e11a0eb95fcae Mon Sep 17 00:00:00 2001
From: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Date: Fri, 31 Aug 2012 11:48:51 +0200
Subject: [PATCH] Bug 8706 - Private lists can be accessed by anyone

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Confirmed private lists can be accessed directly before patch is
applied. After applying patch, I can no longer access the list
via the same url.

Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
---
 C4/VirtualShelves.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/C4/VirtualShelves.pm b/C4/VirtualShelves.pm
index 1a594f832b..4cda709f91 100644
--- a/C4/VirtualShelves.pm
+++ b/C4/VirtualShelves.pm
@@ -465,7 +465,7 @@ sub ShelfPossibleAction {
     $sth->execute($user, $shelfnumber);
     my $shelf= $sth->fetchrow_hashref;
 
-    return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || $shelf->{borrowernumber}==$user);
+    return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || ($user && $shelf->{borrowernumber}==$user));
     if($action eq 'view') {
         #already handled in the above condition
         return 1;
-- 
2.39.5