From afcb9d027765be35cc476f7e48b514c576a8cea1 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 30 Jan 2024 14:53:03 +0100 Subject: [PATCH] Bug 35941: Limit club list to those from the logged in user clubs-tab get the patron's id from the parameter. At the OPAC we must use the one from the logged in user, to prevent leak to other users Test plan: Have 2 clubs: A, B Enroll to A with patron borrowernumber=1 Enroll to B with patron borrowernumber=2 Log in with patron 1 and hit: http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=1 => OK Now hit http://localhost:8080/cgi-bin/koha/clubs/clubs-tab.pl?borrowernumber=2 => oops Apply this patch, try again. The "borrowernumber" parameter is no longer used to fetch the club list. Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize (cherry picked from commit e51ef7ef76a4ee523b302d724d80118185030e60) Signed-off-by: Fridolin Somers --- .../opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt | 6 +++--- .../opac-tmpl/bootstrap/en/modules/clubs/enroll.tt | 3 +-- opac/clubs/clubs-tab.pl | 10 ++++------ opac/clubs/enroll.pl | 8 ++------ 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt index 25c1e0363b..818e74d3c6 100644 --- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt +++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/clubs/clubs-tab.tt @@ -58,7 +58,7 @@ [% c.name | html %] [% c.description | html %] - [% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && borrower.notice_email_address ) %] + [% IF !c.club_template.is_email_required || ( c.club_template.is_email_required && patron.notice_email_address ) %] @@ -76,7 +76,7 @@