[Koha-bugs] [Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Nov 2 23:57:54 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227
--- Comment #5 from David Cook <dcook at prosentient.com.au> ---
This is an interesting one.
Semes that the problem comes from bug 30055.
It looks like you can also hack the UI to show things like dateofbirth,
address, and phone:
http://localhost:8081/cgi-bin/koha/members/search.pl?columns=checkbox,address,dateofbirth,phone,cardnumber,name,category,branch,dateexpiry,borrowernotes,action&selection_type=add
koha-tmpl/intranet-tmpl/prog/en/includes/patron-search.inc enumerates the
options so in theory it could be controlled there.
But the different modules are using the same generic Perl search script so it
can't can't really lock it down.
We could re-create different Perl controllers for the different searches. They
can re-use the "members/search.tt" template to reduce code duplication.
However... that would only fix the UI problem I note above. It still doesn't
solve the issue Marcel notes.
I think that different REST API endpoints need to be used so that we can have
module by module authorizations.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list