Bug 14566 added the permission "borrowers" on patronimage.pl.
This perm is too restrictive because circulation pages also uses this page.
I propose to simply use "catalogue" perm.
Test plan
- Set an image to borrower xx
- Create a user with only catalogue permission
- Log with this user
- Go to page (replace xx by borrower number) : /cgi-bin/koha/members/patronimage.pl?borrowernumber=xx
=> Without patch you get the page saying you do not have the permission
=> With patch you get the image
- Log out and retest the page patronimage.pl
=> You get 403 error
Signed-off-by: remy <remy.gonzalves@iepg.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
=cut
-my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} );
+my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } );
unless ( $status eq 'ok' ) {
print $query->header(-type => 'text/plain', -status => '403 Forbidden');