From 909953c507c65c129c4c44a63353bbe8a5c99319 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Fri, 31 Aug 2012 11:48:51 +0200 Subject: [PATCH] Bug 8706 - Private lists can be accessed by anyone Signed-off-by: Kyle M Hall Confirmed private lists can be accessed directly before patch is applied. After applying patch, I can no longer access the list via the same url. Signed-off-by: Paul Poulain --- C4/VirtualShelves.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/C4/VirtualShelves.pm b/C4/VirtualShelves.pm index 25d092af25..8c0b15e275 100644 --- a/C4/VirtualShelves.pm +++ b/C4/VirtualShelves.pm @@ -464,7 +464,7 @@ sub ShelfPossibleAction { $sth->execute($user, $shelfnumber); my $shelf= $sth->fetchrow_hashref; - return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || $shelf->{borrowernumber}==$user); + return 0 unless $shelf && ($shelf->{category}==2 || $shelf->{owner}==$user || ($user && $shelf->{borrowernumber}==$user)); if($action eq 'view') { #already handled in the above condition return 1; -- 2.39.5