https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29275
--- Comment #18 from Martin Renvoize <[email protected]> --- Sorry dude.. I love this improvement.. but I think we have a problem. The new js equivalent to patron-name.inc is awesome and works great.. but it got me looking at what patron-name.inc does and threw me into the rabbit hole looking at how patrons get hidden from other branch staff in certain modes of operation. I can't see any handling, either in the js function or in the API response builder, that would filter out patrons that the logged-in user should not be able to see details for. I'm hopeful that I'm just missing something in the API layer as I think that's where it should sit personally.. we shouldn't expose the data at all if the user doesn't have permission to view it, rather than hide it at the view stage. If that functionality is there, any chance you could point me to the unit tests for it? -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
