Bug 17423 - patronimage.pl permission is too restrictive

Bug 14566 added the permission "borrowers" on patronimage.pl.
This perm is too restrictive because circulation pages also uses this page.

I propose to simply use "catalogue" perm.

Test plan
- Set an image to borrower xx
- Create a user with only catalogue permission
- Log with this user
- Go to page (replace xx by borrower number) : /cgi-bin/koha/members/patronimage.pl?borrowernumber=xx
=> Without patch you get the page saying you do not have the permission
=> With patch you get the image
- Log out and retest the page patronimage.pl
=> You get 403 error

Signed-off-by: remy <remy.gonzalves@iepg.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

diff --git a/members/patronimage.pl b/members/patronimage.pl
index b833978..f3534c3 100755 (executable)
--- a/members/patronimage.pl
+++ b/members/patronimage.pl
@@ -48,7 +48,7 @@ This script, when called from within HTML and passed a valid patron borrowernumb
 
 =cut
 
-my ($status, $cookie, $sessionID) = check_api_auth($query, { borrowers => 1} );
+my ($status, $cookie, $sessionID) = check_api_auth($query, { catalogue => 1 } );
 
 unless ( $status eq 'ok' ) {
     print $query->header(-type => 'text/plain', -status => '403 Forbidden');