https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Bug ID: 29523 Summary: Add a way to prevent embedding objects that should not be allowed Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com A user can be allowed to see only patrons from its own library, for example. So fetching (through the API) all the current checkouts for a biblio and embedding the patron each checkout in the response, could violate this rule (this is the case on bug 29275). We need some mechanism to prevent this at a lower level so controller developers don't need to code for that, and also to avoid unintended leaks. Possible implementations will need to standardize things like the one used in bug 29506, which relies on the existence of ->search_limited to filter out forbidden results. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.