[Koha-bugs] [Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227

--- Comment #2 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
Testing with user acevedo giving him label_creator and staff access. Fill few
'sensitive' fields like address, date_of_birth, email, mobile, staff_notes.
Check results for /api/v1/patrons
Acevedo received [partial output] for another patron (superlib):
    {
        "address": "Geheim adres",
        "cardnumber": "1",
        "category_id": "S",
        "check_previous_checkout": "inherit",
        "date_enrolled": "2023-11-02",
        "date_of_birth": "2000-11-01",
        "email": "secret at test.nl",
        "expiry_date": "2099-12-31",
        "firstname": "Koha",
        "lang": "default",
        "library_id": "MPL",
        "login_attempts": 0,
        "mobile": "p3",
        "patron_id": 1,
        "phone": "p1",
        "privacy": 1,
        "privacy_guarantor_checkouts": 0,
        "secondary_phone": "p2",
        "staff_notes": "circ_notes",
        "surname": "Admin",
        "updated_on": "2023-11-02T08:26:04+00:00",
        "userid": "koha.admin"
    },

How did the authorization go ?
is_accessible => can_see_patron_infos =>  can_see_patrons_from =>
can_see_things_from + permission => 'borrowers', subpermission =>
'view_borrower_infos_from_any_libraries',
can_see_things_from RETURNS 1 for own branch !
In contrast to the POD line: Return true if the I<Koha::Patron> can perform
some action on the given thing
=> The permission passed is only checked after     if ( $self->branchcode eq
$branchcode ) { $can = 1;

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.