From 707c7a5eb4ff176b3bf7fa0494d7bf29464bdc89 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Mon, 6 Dec 2021 13:58:25 +0100
Subject: [PATCH] Bug 29541: Prevent users from another group to access
 patron's images

We should respect group restrictions here.

Test plan:
Create a patron from another group of libraries and don't let them
access info from patrons outside of this group.
Access the following link and confirm that you can see the image only
for patrons from their group
  /cgi-bin/koha/members/patronimage.pl?borrowernumber=XX

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
(cherry picked from commit 09cb5e02e6fad7b0dd3137d925646d714444a704)

Signed-off-by: Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz>
---
 members/patronimage.pl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/members/patronimage.pl b/members/patronimage.pl
index 64f4ad6852..64c8f32ed2 100755
--- a/members/patronimage.pl
+++ b/members/patronimage.pl
@@ -25,8 +25,7 @@ use Modern::Perl;
 use CGI qw ( -utf8 );
 use C4::Auth qw( check_api_auth );
 use C4::Context;
-use C4::Members;
-use Koha::Patron::Images;
+use Koha::Patrons;
 
 $|=1;
 
@@ -55,8 +54,6 @@ unless ( $status eq 'ok' ) {
     exit 0;
 }
 
-
-
 if ($query->param('borrowernumber')) {
     $borrowernumber = $query->param('borrowernumber');
 } else {
@@ -64,9 +61,18 @@ if ($query->param('borrowernumber')) {
 }
 
 
-warn "Borrowernumber passed in: $borrowernumber" if $DEBUG;
+    warn "Borrowernumber passed in: $borrowernumber" if $DEBUG;
+
+my $patron         = Koha::Patrons->find( $borrowernumber );
+my $userenv = C4::Context->userenv;
+my $logged_in_user = Koha::Patrons->find( $userenv->{number} );
+
+unless ( $logged_in_user->can_see_patron_infos( $patron ) ) {
+    print $query->header(-type => 'text/plain', -status => '403 Forbidden');
+    exit 0;
+}
 
-my $patron_image = Koha::Patron::Images->find($borrowernumber);
+my $patron_image = $patron->image;
 
 # NOTE: Never dump the contents of $imagedata->{'patronimage'} via a warn to a log or nasty
 # things will result... you have been warned!
-- 
2.39.5