From 5212c150d282ba3841aa3d7b7aa642eb9772d9a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mathias=20Maa=C3=9F?= <mathias.maass@uni-leipzig.de>
Date: Wed, 19 Oct 2022 09:30:26 +0200
Subject: [PATCH] refs #22495 [finc] Check rights for PAIA method paiaGetItems
 in FincILS

---
 module/finc/src/finc/ILS/Driver/FincILS.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/module/finc/src/finc/ILS/Driver/FincILS.php b/module/finc/src/finc/ILS/Driver/FincILS.php
index 502e6f9f563..6eab90c6eea 100644
--- a/module/finc/src/finc/ILS/Driver/FincILS.php
+++ b/module/finc/src/finc/ILS/Driver/FincILS.php
@@ -1138,6 +1138,11 @@ class FincILS extends PAIA implements LoggerAwareInterface
      */
     protected function paiaGetItems($patron, $filter = [])
     {
+        // check if user has appropriate scope
+        if (!$this->paiaCheckScope(self::SCOPE_READ_ITEMS)) {
+            throw new ILSException('You are not entitled to read items.');
+        }
+
         // check for existing data in cache
         if ($this->paiaCacheEnabled) {
             $itemsResponse = $this->getCachedData($patron['cat_username']);
-- 
GitLab