FOLIO-verify requester id is same as logged in user (#1630)

module/VuFind/src/VuFind/ILS/Driver/Folio.php

@@ -939,6 +939,7 @@ class Folio extends AbstractAPI implements
     public function cancelHolds($cancelDetails)
     {
         $details = $cancelDetails['details'];
+        $patron = $cancelDetails['patron'];
         $count = 0;
         $cancelResult = ['items' => []];
 
@@ -948,16 +949,18 @@ class Folio extends AbstractAPI implements
             );
             $request_json = json_decode($response->getBody());
 
+            // confirm request belongs to signed in patron
+            if ($request_json->requesterId != $patron['id']) {
+                throw new ILSException("Invalid Request");
+            }
             // Change status to Closed and add cancellationID
             $request_json->status = 'Closed - Cancelled';
             $request_json->cancellationReasonId
                 = $this->config['Holds']['cancellation_reason'];
-
             $cancel_response = $this->makeRequest(
                 'PUT', '/circulation/requests/' . $requestId,
                 json_encode($request_json)
             );
-
             if ($cancel_response->getStatusCode() == 204) {
                 $count++;
                 $cancelResult['items'][$request_json->itemId] = [