From 106f93931833b39b0ca6af2c44724e58463fc31c Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 19 Nov 2019 13:16:16 -0300 Subject: [PATCH] Bug 23634: Secure the email on the API Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Aleisha Amohia (cherry picked from commit 05b6ac7bc97a4d1ef4a4d1e4c41fe0b99de86aa8) Signed-off-by: Victor Grousset/tuxayo --- Koha/REST/V1/Patrons.pm | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/Koha/REST/V1/Patrons.pm b/Koha/REST/V1/Patrons.pm index 5e8e398eac..512d9dc4a5 100644 --- a/Koha/REST/V1/Patrons.pm +++ b/Koha/REST/V1/Patrons.pm @@ -194,7 +194,18 @@ sub update { } return try { - my $body = _to_model($c->validation->param('body')); + + my $body = $c->validation->param('body'); + my $user = $c->stash('koha.user'); + + if ( $patron->is_superlibrarian and !$user->is_superlibrarian ) { + return $c->render( + status => 403, + openapi => { error => "Not enough privileges to change a superlibrarian's email" } + ) if $body->{email} ne $patron->email ; + } + + $body = _to_model($c->validation->param('body')); $patron->set($body)->store; $patron->discard_changes; -- 2.39.5