[Koha-bugs] [Bug 35228] REST API: Restricted staff users can see patron extended attributes (not exposed via UI)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Nov 2 11:15:52 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35228
--- Comment #1 from Marcel de Rooy <m.de.rooy at rijksmuseum.nl> ---
Look at the /patrons test in bug 35227.
Now first add a patron attribute like bank account number.
Now test with header x-koha-embed=extended_attributes
Now Henry also gets:
"extended_attributes": [
{
"extended_attribute_id": 589,
"type": "ACCTNO",
"value": "123456"
}
Why did he get those? We are protecting our embeds now, right?
to_api goes for the extended_attributes relation to _handle_to_api_child which
will call to_api again for Koha/Patron/Attribute.pm.
This module only has its own to_api_mapping, no more specific security there.
Sub is_accessible from Object just returns 1.
We need more protection for patron attributes.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list