From: Fridolin Somers Date: Tue, 11 Oct 2016 08:00:56 +0000 (+0200) Subject: Bug 17423 - patronimage.pl permission is too restrictive X-Git-Tag: v16.11.00~399 X-Git-Url: http://koha-dev.rot13.org:8081/gitweb/?a=commitdiff_plain;h=e78f81d615a79ad293d599c7395efcabd267662d;p=koha_ffzg Bug 17423 - patronimage.pl permission is too restrictive Bug 14566 added the permission "borrowers" on patronimage.pl. This perm is too restrictive because circulation pages also uses this page. I propose to simply use "catalogue" perm. Test plan - Set an image to borrower xx - Create a user with only catalogue permission - Log with this user - Go to page (replace xx by borrower number) : /cgi-bin/koha/members/patronimage.pl?borrowernumber=xx => Without patch you get the page saying you do not have the permission => With patch you get the image - Log out and retest the page patronimage.pl => You get 403 error Signed-off-by: remy Signed-off-by: Jonathan Druart Signed-off-by: Brendan Gallagher --- diff --git a/members/patronimage.pl b/members/patronimage.pl index b833978a13..f3534c3df4 100755 --- a/members/patronimage.pl +++ b/members/patronimage.pl @@ -48,7 +48,7 @@ This script, when called from within HTML and passed a valid patron borrowernumb =cut -my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} ); +my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } ); unless ( $status eq 'ok' ) { print $query->header(-type => 'text/plain', -status => '403 Forbidden');