From 379f4e03b3eff4b4c392a9d89779f07dfcc00ae4 Mon Sep 17 00:00:00 2001
From: Mike Rylander <mrylander@gmail.com>
Date: Wed, 3 Jun 2020 10:08:35 -0400
Subject: [PATCH] Protect patron data behind a staff login permission

Signed-off-by: Mike Rylander <mrylander@gmail.com>
---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
index dd9fef56ee..caa415a0a4 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Curbside.pm
@@ -75,6 +75,10 @@ sub fetch_appointments { # returns appointment for user at location
 
     return new OpenILS::Event("BAD_PARAMS", "desc" => "No user ID supplied") unless $usr;
 
+    unless ($usr == $e->requestor->id) {
+        return $e->die_event unless $e->allowed("STAFF_LOGIN");
+    }
+
     my $slots = $e->search_action_curbside([{
         patron    => $usr,
         delivered => { '=' => undef },
-- 
2.11.0