[Koha-bugs] [Bug 29275] Use the API to render checkout history for a biblio
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Nov 17 09:17:35 CET 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29275
--- Comment #18 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Sorry dude.. I love this improvement.. but I think we have a problem. The new
js equivalent to patron-name.inc is awesome and works great.. but it got me
looking at what patron-name.inc does and threw me into the rabbit hole looking
at how patrons get hidden from other branch staff in certain modes of
operation.
I can't see any handling, either in the js function or in the API response
builder, that would filter out patrons that the logged-in user should not be
able to see details for. I'm hopeful that I'm just missing something in the
API layer as I think that's where it should sit personally.. we shouldn't
expose the data at all if the user doesn't have permission to view it, rather
than hide it at the view stage. If that functionality is there, any chance you
could point me to the unit tests for it?
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list