From: Mike Rylander <mrylander@gmail.com>
Date: Wed, 3 Jun 2020 14:08:35 +0000 (-0400)
Subject: Protect patron data behind a staff login permission
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=379f4e03b3eff4b4c392a9d89779f07dfcc00ae4;p=working%2FEvergreen.git

Protect patron data behind a staff login permission

Signed-off-by: Mike Rylander <mrylander@gmail.com>
---

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
index dd9fef56ee..caa415a0a4 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
@@ -75,6 +75,10 @@ sub fetch_appointments { # returns appointment for user at location
 
     return new OpenILS::Event("BAD_PARAMS", "desc" => "No user ID supplied") unless $usr;
 
+    unless ($usr == $e->requestor->id) {
+        return $e->die_event unless $e->allowed("STAFF_LOGIN");
+    }
+
     my $slots = $e->search_action_curbside([{
         patron    => $usr,
         delivered => { '=' => undef },