From 106f93931833b39b0ca6af2c44724e58463fc31c Mon Sep 17 00:00:00 2001
From: Tomas Cohen Arazi <tomascohen@theke.io>
Date: Tue, 19 Nov 2019 13:16:16 -0300
Subject: [PATCH] Bug 23634: Secure the email on the API

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

(cherry picked from commit 05b6ac7bc97a4d1ef4a4d1e4c41fe0b99de86aa8)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
---
 Koha/REST/V1/Patrons.pm | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/Koha/REST/V1/Patrons.pm b/Koha/REST/V1/Patrons.pm
index 5e8e398eac..512d9dc4a5 100644
--- a/Koha/REST/V1/Patrons.pm
+++ b/Koha/REST/V1/Patrons.pm
@@ -194,7 +194,18 @@ sub update {
      }
 
     return try {
-        my $body = _to_model($c->validation->param('body'));
+
+        my $body = $c->validation->param('body');
+        my $user = $c->stash('koha.user');
+
+        if ( $patron->is_superlibrarian and !$user->is_superlibrarian ) {
+            return $c->render(
+                status  => 403,
+                openapi => { error => "Not enough privileges to change a superlibrarian's email" }
+            ) if $body->{email} ne $patron->email ;
+        }
+
+        $body = _to_model($c->validation->param('body'));
 
         $patron->set($body)->store;
         $patron->discard_changes;
-- 
2.39.5