Comment 2 for bug 1206589

 The collab/dyrcona/lp1206589-quick-fix branch in the security repo adds a retrieve permission of STAFF_LOGIN to the coustl IDL entry, and it fixes a bug with the primary key entry that I noticed while looking into this.

After adding the STAFF_LOGIN permission and testing a proof of concept with my wife's account, I got this error message which seemed to leak information to the user: open-ils.pcrud: no object found with primary key date_applied of 2015-02-19T09:02:12-0500. Looking into that showed that the primary field in the IDL needed to change to id. Doing that resolved the strange error.

I chose STAFF_LOGIN even though it does not resolve Jason's initial problem. STAFF_LOGIN at a minimum requires a user to be able to login as staff in order to exploit this. That leaves us pretty much where the initial bug reports assumes we were with settings exposed only to unauthorized staff. If someone has a better idea for a permission to use, feel free to change it.

This also needs a good write up for the security releases this week. With people urged to upgrade. This one may be harder to patch accurately as sites are known to customize their IDL.

My next comment will contain my thoughts on a longer term fix for the LSE history feature's issues.