Patron account can be retrieved without opt-in
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Undecided
|
Unassigned | ||
2.12 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In the web client in Evergreen 2.12 (and presumably earlier versions), there is an opt-in check during patron barcode search, which prevents the patron record from being retrieved unless the patron is opted-in. However, there are other ways to retrieve the patron record without an opt-in check -- for example, via item circ history. The web client should enforce an opt-in check whenever the patron record is retrieved, not just via barcode search.
My first thought is to enforce an opt-in check/dialog whenever a route beginning with 'circ/patron/:id' is accessed, but I don't know Angular well enough yet to know if that's a good approach.
The XUL client has the same issue. We have some local fixes for that which I can share, if desired.
I'm flagging this as a Private Security bug as a precaution, but I'd prefer for this to be public.
information type: | Private Security → Public Security |
tags: | added: webstaffclient |
Changed in evergreen: | |
assignee: | nobody → Jeff Davis (jdavis-sitka) |
Changed in evergreen: | |
assignee: | nobody → Jason Etheridge (phasefx) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
+1 to making this a public bug