From c141d203cb41d3cdfb36c8c716c3944b630ba7f3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 22 Nov 2021 15:29:58 +0100 Subject: [PATCH] Bug 29541: Restrict access to patron's image to borrowers => * and circulate => * The patron images is displayed on the 'circulation' and 'members' modules. Signed-off-by: Katrin Fischer Signed-off-by: Tomas Cohen Arazi Signed-off-by: Victor Grousset/tuxayo --- members/patronimage.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/members/patronimage.pl b/members/patronimage.pl index 42a82b9283..c2c3a093c6 100755 --- a/members/patronimage.pl +++ b/members/patronimage.pl @@ -48,7 +48,7 @@ This script, when called from within HTML and passed a valid patron borrowernumb =cut -my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } ); +my ($status, $cookie, $sessionID) = check_api_auth($query, [ { borrowers => '*' }, { circulate => '*' } ] ); unless ( $status eq 'ok' ) { print $query->header(-type => 'text/plain', -status => '403 Forbidden'); -- 2.39.5