From 1458faf28fe1617ef05eb05d738db2c3bf791d02 Mon Sep 17 00:00:00 2001
From: Ian Hardy <ian.c.hardy@gmail.com>
Date: Mon, 1 Jun 2020 11:41:50 -0400
Subject: [PATCH] FOLIO-verify requester id is same as logged in user (#1630)

---
 module/VuFind/src/VuFind/ILS/Driver/Folio.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/module/VuFind/src/VuFind/ILS/Driver/Folio.php b/module/VuFind/src/VuFind/ILS/Driver/Folio.php
index 5a5547a6bf6..c36fa902495 100644
--- a/module/VuFind/src/VuFind/ILS/Driver/Folio.php
+++ b/module/VuFind/src/VuFind/ILS/Driver/Folio.php
@@ -939,6 +939,7 @@ class Folio extends AbstractAPI implements
     public function cancelHolds($cancelDetails)
     {
         $details = $cancelDetails['details'];
+        $patron = $cancelDetails['patron'];
         $count = 0;
         $cancelResult = ['items' => []];
 
@@ -948,16 +949,18 @@ class Folio extends AbstractAPI implements
             );
             $request_json = json_decode($response->getBody());
 
+            // confirm request belongs to signed in patron
+            if ($request_json->requesterId != $patron['id']) {
+                throw new ILSException("Invalid Request");
+            }
             // Change status to Closed and add cancellationID
             $request_json->status = 'Closed - Cancelled';
             $request_json->cancellationReasonId
                 = $this->config['Holds']['cancellation_reason'];
-
             $cancel_response = $this->makeRequest(
                 'PUT', '/circulation/requests/' . $requestId,
                 json_encode($request_json)
             );
-
             if ($cancel_response->getStatusCode() == 204) {
                 $count++;
                 $cancelResult['items'][$request_json->itemId] = [
-- 
GitLab