From 800494a5ef27ff3066843bf5f20d2064dd3de284 Mon Sep 17 00:00:00 2001
From: Nahuel ANGELINETTI <nahuel.angelinetti@biblibre.com>
Date: Thu, 24 Dec 2009 15:20:47 +0100
Subject: [PATCH] (bug #4004) disallow access for non-logged in users in opac

This doesn't define borrowernumber = 0 if a borrower is NOT logged.
We know borrowernumber 0 is mysqluser... So in virtualshelves, a non logged user have all permissions.
---
 C4/Auth.pm           | 3 ++-
 C4/VirtualShelves.pm | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index f0be27cb91..ea10d16816 100755
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -165,7 +165,8 @@ sub get_template_and_user {
 			$template->param(	bartotal		=> $total->{'bartotal'}, ) if ($total->{'bartotal'} > scalar (@$barshelves));
 		}
 
-        $borrowernumber = getborrowernumber($user);
+        $borrowernumber = getborrowernumber($user) if defined($user);
+
         my ( $borr ) = GetMemberDetails( $borrowernumber );
         my @bordat;
         $bordat[0] = $borr;
diff --git a/C4/VirtualShelves.pm b/C4/VirtualShelves.pm
index eda6840cbc..735087e1a6 100644
--- a/C4/VirtualShelves.pm
+++ b/C4/VirtualShelves.pm
@@ -476,6 +476,7 @@ sub ShelfPossibleAction {
     $sth->execute($shelfnumber);
     my ( $owner, $category ) = $sth->fetchrow;
 	my $borrower = GetMemberDetails($user);
+	return 0 if not defined($user);
 	return 1 if ( $category >= 3);							# open list
     return 1 if (($category >= 2) and
 				defined($action) and $action eq 'view');	# public list, anybody can view
-- 
2.39.5