[Koha-bugs] [Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Nov 3 00:09:48 CET 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227
--- Comment #6 from David Cook <dcook at prosentient.com.au> ---
I think sometimes we've been a bit too abstract in the design of the API, and
we don't really have a good authorization model for Koha anyway, so it's no
surprise that we have wound up in this situation.
--
Looking at the description of 'tools: "label_creator"' it says: "Create
printable labels and barcodes from catalog and patron data (label_creator)" so
maybe it's no surprise it has unlimited access to patron data...
But 'serials: "routing"' and 'acquisition: "order_manage"' don't mention
patrons at all in their permission descriptions.
>From an API perspective, I think the end point should be something more like
"/patrons/search" and then you send it a search and your view is dependent on
your permissions.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list