From 9c63acbe0a585a8cbb354c4b88ee4056f194fcf5 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Wed, 17 Nov 2021 16:36:11 -0300 Subject: [PATCH] Bug 29508: Make GET /patrons/:patron_id use Koha::Patrons->search_limited This patch makes the route return 404 if the user is not allowed to see the requested patron information. To test: 1. Apply the regression tests 2. Run: $ kshell k$ prove t/db_dependent/api/v1/patrons.t => FAIL: The code doesn't respect limits 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Nick Clemens Signed-off-by: Fridolin Somers Signed-off-by: Kyle M Hall (cherry picked from commit 5ee42b6b6031472dc6637d1f22b53815ecb96121) Signed-off-by: Andrew Fuerste-Henry --- Koha/REST/V1/Patrons.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Koha/REST/V1/Patrons.pm b/Koha/REST/V1/Patrons.pm index 663f092aee..6d5b1fe235 100644 --- a/Koha/REST/V1/Patrons.pm +++ b/Koha/REST/V1/Patrons.pm @@ -74,7 +74,7 @@ sub get { return try { my $patron_id = $c->validation->param('patron_id'); - my $patron = $c->objects->find( Koha::Patrons->new, $patron_id ); + my $patron = $c->objects->find( scalar Koha::Patrons->search_limited, $patron_id ); unless ($patron) { return $c->render( -- 2.39.5