[Koha-bugs] [Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227

--- Comment #3 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
What is the best way to move forward here? Some options to think about:

[1] Just removing label_creator, routing and order_manage from GET patrons is
probably too simple. We may need a list of patron IDs and a name for some of
these associated forms.
[2] Could we go via public_patrons.yaml somehow on those staff forms ? It
sounds weird to do so for a staff form.
[3] Be strictier in can_see_things_from. Currently, the can = 1 for own branch
allows this to happen. But how to refine that check exactly ? What would be the
impact on other calls ?
Note: The following line on the set permissions forms is misleading:
"View patron infos from any libraries. If not set the logged in user could only
access patron infos from its own library or group of libraries.
(view_borrower_infos_from_any_libraries)"
This is not true. If you gave acevedo only the abovelisted permissions, he is
not EVEN able to access his OWN account info on staff (but he can on OPAC). He
cannot see other accounts at all.
[4] Given that can_see_things_from should still return 1 when not touching that
sub, could we refine with something similar to unredact_list that we do now
only when is_accessible returns false ? We feel the need here to provide some
columns for staff but not immediately all columns, say staff_read_list ?

Your feedback is welcome.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.