[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Oct 23 18:38:42 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
--- Comment #163 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
Regarding permissions..
So long as your user does not have 'view_borrower_infos_from_any_libraries'
permission and they're not in a library group with other libraries and
permission to view users within the group.. said user should receive a redacted
copy of any user who resides in another library than their own when fetching
them from the API via a search or an embed. (I believe we still return a 404
should they try to retrieve such a borrower directly however..?)
So.. in short.. create a user (patron A) in one library with the catalogue
permission only.
Create some other patrons in other libraries. Test the API using patron A for
login and confirm that your other patrons are returned in a redacted form (with
most fields set to 'null' in the json response).
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list