(bug #2811)[3.2] fix opac-renew.pl part

This patch only fix a "security" failure that permit a user to renew his loan using directly the opac-renew.pl url.
Now, we check that opacrenewalallowed is set to on to permit the renewal in opac.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Henri-Damien LAURENT <henridamien.laurent@biblibre.com>

diff --git a/opac/opac-renew.pl b/opac/opac-renew.pl
index 5eb9761..88bbacb 100755 (executable)
--- a/opac/opac-renew.pl
+++ b/opac/opac-renew.pl
@@ -22,10 +22,11 @@ my ( $template, $borrowernumber, $cookie ) = get_template_and_user(
 ); 
 my @items          = $query->param('item');
 my $borrowernumber = $query->param('borrowernumber') || $query->param('bornum');
+my $opacrenew = C4::Context->preference("OpacRenewalAllowed");
 
 for my $itemnumber ( @items ) {
     my ($status,$error) = CanBookBeRenewed( $borrowernumber, $itemnumber );
-    if ( $status == 1 ) {
+    if ( $status == 1 && $opacrenew == 1 ) {
         AddRenewal( $borrowernumber, $itemnumber );
     }
 }

diff --git a/opac/opac-user.pl b/opac/opac-user.pl
index e38ebc0..7d56b04 100755 (executable)
--- a/opac/opac-user.pl
+++ b/opac/opac-user.pl
@@ -127,7 +127,7 @@ foreach my $issue ( @issue_list ) {
     my ($status,$renewerror) = CanBookBeRenewed( $borrowernumber, $issue->{'itemnumber'} );
        ($issue->{'renewcount'},$issue->{'renewsallowed'},$issue->{'renewsleft'}) = GetRenewCount($borrowernumber, $issue->{'itemnumber'});
 
-    $issue->{'status'} = $status;
+    $issue->{'status'} = $status || C4::Context->preference("OpacRenewalAllowed");
 
     if ( $issue->{'overdue'} ) {
         push @overdues, $issue;