Protect patron data behind a staff login permission

Signed-off-by: Mike Rylander <mrylander@gmail.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
index dd9fef5..caa415a 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
@@ -75,6 +75,10 @@ sub fetch_appointments { # returns appointment for user at location
 
     return new OpenILS::Event("BAD_PARAMS", "desc" => "No user ID supplied") unless $usr;
 
+    unless ($usr == $e->requestor->id) {
+        return $e->die_event unless $e->allowed("STAFF_LOGIN");
+    }
+
     my $slots = $e->search_action_curbside([{
         patron    => $usr,
         delivered => { '=' => undef },