https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=25947 --- Comment #14 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- The setstatus.pl script certainly needs attention too: Reading comments like: #script to set or lift debarred status No longer true? # Ideally we should display a warning on the interface if the logged in user is # not allowed to modify this patron. # But a librarian is not supposed to hack the system No longer true? The code contains: my ( $loggedinuserid ) = checkauth($input, 0, { borrowers => 'edit_borrowers' }, 'intranet'); ... $logged_in_user->can_see_patron_infos Includes: permission => 'borrowers', subpermission => 'view_borrower_infos_from_any_libraries', => Feels like it is enough. But personally I would rather see a specific permission for things like password, and locked status? Instead of using this script with a GET operation, it feels better to use our REST API and do a PUT/PATCH patron operation? -- You are receiving this mail because: You are watching all bug changes.