[Bug 32502] New: Getting patrons/{patron_id} via REST API requires edit_borrowers permission
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Bug ID: 32502 Summary: Getting patrons/{patron_id} via REST API requires edit_borrowers permission Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: emmi.takkinen@koha-suomi.fi CC: tomascohen@gmail.com Staff without edit_borrowers permission can see patrons info in detail.pl or returns.pl, but not via REST API call GET patrons/{patron_id}. We should use permission view_borrower_infos_from_any_libraries here instead of edit_borrowers. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=29509 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 --- Comment #1 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Created attachment 144783 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144783&action=edit Bug 32502: Api call to patrons/{patron_id} permission change The API permissions for GET patrons/{patron_id} required staff to have edit_borrowers permission rather than view_borrower_infos_from_any_libraries. This has now been changed to allow staff to access patrons through the API. Test plan: 1) From a staff account that does not have edit_borrowers permission, make a request to patrons/{patron_id} 2) The request should be rejected 3) Apply patch 4) Repeat the request 5) The request should return the data for the patron requested -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matt.blenkinsop@ptfs-europe | |.com Status|NEW |Needs Signoff Assignee|koha-bugs@lists.koha-commun |matt.blenkinsop@ptfs-europe |ity.org |.com -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Frédéric Demians <frederic@tamil.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144783|0 |1 is obsolete| | --- Comment #2 from Frédéric Demians <frederic@tamil.fr> --- Created attachment 144845 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=144845&action=edit Bug 32502: Api call to patrons/{patron_id} permission change The API permissions for GET patrons/{patron_id} required staff to have edit_borrowers permission rather than view_borrower_infos_from_any_libraries. This has now been changed to allow staff to access patrons through the API. Test plan: 1) From a staff account that does not have edit_borrowers permission, make a request to patrons/{patron_id} 2) The request should be rejected 3) Apply patch 4) Repeat the request 5) The request should return the data for the patron requested Signed-off-by: Frédéric Demians <f.demians@tamil.fr> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Frédéric Demians <frederic@tamil.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |frederic@tamil.fr -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #144845|0 |1 is obsolete| | --- Comment #3 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 146512 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=146512&action=edit Bug 32502: Api call to patrons/{patron_id} permission change The API permissions for GET patrons/{patron_id} required staff to have edit_borrowers permission rather than view_borrower_infos_from_any_libraries. This has now been changed to allow staff to access patrons through the API. Test plan: 1) From a staff account that does not have edit_borrowers permission, make a request to patrons/{patron_id} 2) The request should be rejected 3) Apply patch 4) Repeat the request 5) The request should return the data for the patron requested Signed-off-by: Frédéric Demians <f.demians@tamil.fr> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact| |kyle@bywatersolutions.com CC| |kyle@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |In Discussion --- Comment #4 from Tomás Cohen Arazi <tomascohen@gmail.com> --- I'm not sure I agree with this patch. Our permissions schema is obfuscated, but view_borrower_infos_from_any_libraries goes too far as well. We really need something like 'view_borrowers', and let Koha::Patrons->search_limited take care of which patrons can actually be seen. Something like: my $patron = Koha::Patrons->search_limited; unless ($patron) { # return 404 } return $patron->to_api; -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #4)
I'm not sure I agree with this patch.
Our permissions schema is obfuscated, but view_borrower_infos_from_any_libraries goes too far as well. We really need something like 'view_borrowers', and let Koha::Patrons->search_limited take care of which patrons can actually be seen.
+1 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com --- Comment #6 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- We have 'list_borrowers' now, that's the appropriate permission here -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32502 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |DUPLICATE Status|In Discussion |RESOLVED --- Comment #7 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Resolved by bug 30230 *** This bug has been marked as a duplicate of bug 30230 *** -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org