Comment 1 for bug 1206589

While the initial bug report indicates this a problem in the Library
Settings Editor's history functions only, the underlying cause turns
out to be yet another remote vulnerability. Any user who can
authenticate to Evergreen and make the proper open-ils.pcrud calls can
view the history of any setting, including those that are sensitive.

This happens because the permacrud action entries in the IDL for the
coustl object lists no required permission for retrieve. Thus, no
permission is required and once anonymous pcrud goes in, no login
would be required either.

An immediate fix for this would be to add a permission, just about any
permission that a patron would not have will do, to the retrieve
action in couustl's permacrud block.

A longer winded fix will appear in a forthcoming comment. There are a
number of things "wrong" about this feature.