From a824b400e0efe3152fdfd145cbe3f0a3c39d1134 Mon Sep 17 00:00:00 2001 From: Magnus Enger Date: Tue, 9 May 2023 15:37:51 +0200 Subject: [PATCH] Bug 33702: Patrons should only see their own ILLs in the OPAC To reproduce: - Enable the ILL module - Install the FreeForm backend as described here: https://wiki.koha-community.org/wiki/ILL_backends - Go to the ILL module and add two different ILL requests by clicking on "New ILL request" and entering the necessary details. - Make sure you connect the two requests to two *different* patrons in the field marked "Card number, username or surname" - Make the two titles different, and make a not of which title is connected to which patron - Log in as one of the two patrons who now have an ILL request each, in the OPAC - Go to the "Interlibrary loan requests" tab - Click on "View" for the request connected to this patron. The URL will look like something like this: http:///cgi-bin/koha/opac-illrequests.pl?method=view&illrequest_id=2 - Now change the number at the end to correspond to the the ILL request connected to the *other* patron - Verify you can see the details of an ILL request conncted to another patron than the patron you are logged in as To test: - Apply the patch - Restart all the things if you are testing with ktd - Reload the detail view of the ILL request that belongs to the patron you are not logged in as - Verify you are redirect to the 404 page and can not see the details of the request that belongs to the patron you are not logged in as Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Martin Renvoize --- opac/opac-illrequests.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/opac/opac-illrequests.pl b/opac/opac-illrequests.pl index e619707451..0219174cb7 100755 --- a/opac/opac-illrequests.pl +++ b/opac/opac-illrequests.pl @@ -75,6 +75,11 @@ if ( $op eq 'list' ) { borrowernumber => $loggedinuser, illrequest_id => $params->{illrequest_id} }); + # Make sure the request belongs to the logged in user + unless ( $request->borrowernumber == $loggedinuser ) { + print $query->redirect("/cgi-bin/koha/errors/404.pl"); + exit; + } $template->param( request => $request ); -- 2.39.5