https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35228
--- Comment #1 from Marcel de Rooy <[email protected]> --- Look at the /patrons test in bug 35227. Now first add a patron attribute like bank account number. Now test with header x-koha-embed=extended_attributes Now Henry also gets: "extended_attributes": [ { "extended_attribute_id": 589, "type": "ACCTNO", "value": "123456" } Why did he get those? We are protecting our embeds now, right? to_api goes for the extended_attributes relation to _handle_to_api_child which will call to_api again for Koha/Patron/Attribute.pm. This module only has its own to_api_mapping, no more specific security there. Sub is_accessible from Object just returns 1. We need more protection for patron attributes. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
