[Bug 35227] REST API: Restricted staff users can see patron info (not exposed via UI)
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227 --- Comment #2 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Testing with user acevedo giving him label_creator and staff access. Fill few 'sensitive' fields like address, date_of_birth, email, mobile, staff_notes. Check results for /api/v1/patrons Acevedo received [partial output] for another patron (superlib): { "address": "Geheim adres", "cardnumber": "1", "category_id": "S", "check_previous_checkout": "inherit", "date_enrolled": "2023-11-02", "date_of_birth": "2000-11-01", "email": "secret@test.nl", "expiry_date": "2099-12-31", "firstname": "Koha", "lang": "default", "library_id": "MPL", "login_attempts": 0, "mobile": "p3", "patron_id": 1, "phone": "p1", "privacy": 1, "privacy_guarantor_checkouts": 0, "secondary_phone": "p2", "staff_notes": "circ_notes", "surname": "Admin", "updated_on": "2023-11-02T08:26:04+00:00", "userid": "koha.admin" }, How did the authorization go ? is_accessible => can_see_patron_infos => can_see_patrons_from => can_see_things_from + permission => 'borrowers', subpermission => 'view_borrower_infos_from_any_libraries', can_see_things_from RETURNS 1 for own branch ! In contrast to the POD line: Return true if the I<Koha::Patron> can perform some action on the given thing => The permission passed is only checked after if ( $self->branchcode eq $branchcode ) { $can = 1; -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org