[Koha-bugs] [Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Nov 2 11:11:27 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227
--- Comment #2 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
Testing with user acevedo giving him label_creator and staff access. Fill few
'sensitive' fields like address, date_of_birth, email, mobile, staff_notes.
Check results for /api/v1/patrons
Acevedo received [partial output] for another patron (superlib):
{
"address": "Geheim adres",
"cardnumber": "1",
"category_id": "S",
"check_previous_checkout": "inherit",
"date_enrolled": "2023-11-02",
"date_of_birth": "2000-11-01",
"email": "secret at test.nl",
"expiry_date": "2099-12-31",
"firstname": "Koha",
"lang": "default",
"library_id": "MPL",
"login_attempts": 0,
"mobile": "p3",
"patron_id": 1,
"phone": "p1",
"privacy": 1,
"privacy_guarantor_checkouts": 0,
"secondary_phone": "p2",
"staff_notes": "circ_notes",
"surname": "Admin",
"updated_on": "2023-11-02T08:26:04+00:00",
"userid": "koha.admin"
},
How did the authorization go ?
is_accessible => can_see_patron_infos => can_see_patrons_from =>
can_see_things_from + permission => 'borrowers', subpermission =>
'view_borrower_infos_from_any_libraries',
can_see_things_from RETURNS 1 for own branch !
In contrast to the POD line: Return true if the I<Koha::Patron> can perform
some action on the given thing
=> The permission passed is only checked after if ( $self->branchcode eq
$branchcode ) { $can = 1;
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list