https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40023 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au Status|Needs Signoff |In Discussion --- Comment #3 from David Cook <dcook@prosentient.com.au> --- At the moment the permission required for this endpoint is 'borrowers: "1"', but that's way too permissive. As per bug 36561, this means that any patron with any "borrowers" permission can use this endpoint. With that in mind, someone with "send_messages_to_borrowers" could use bug 40023 to get access to all the patron information, which would be a personal information breach. When I do lock down this endpoint more, then it would be an even bigger disclosure. -- I suppose you could check for edit_borrowers and list_borrowers and return a filtered/censored patron object response. But the idea for this API endpoint was to have a way for third-party systems to authenticate a user using only an ID and password. Very minimal trust and disclosure. While it might be convenient to embed the patron object in the response, that really should be a second API call. (Although I think the argument that if they have edit_borrowers/list_borrowers then maybe they could get an embedded response. That said, this current patch would bypass "view_borrower_infos_from_any_libraries" I believe.) -- You are receiving this mail because: You are watching all bug changes.