https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13895
--- Comment #35 from Lari Taskula <[email protected]> --- (In reply to Katrin Fischer from comment #34) > >Let user access their own checkouts and if OpacRenewalAllowed system > >preference > >is on, also let user to renew their checkouts. > > I am concerned about this kind of behaviour. Would it mean that any user > (without any permission) can do this using the REST API as long as they can > get access to a valid session cookie/log into the OPAC? Yes, only for their own checkouts. Of course appropriate system preferences need to be considered, as you mentioned: > This checks for OpacRenewalAllowed, but what about opacuserlogin? Great suggestion, I totally ignored opacuserlogin. I think it is very important to also check opacuserlogin here and in other operations where this type of behaviour would be useful. There are many operations where it would be useful to let resource owner to access their own data even if they have no special permissions for it (checkouts/history, holds, accountlines, patron info, password change etc.). For this behaviour, I have proposed a patch in Bug 14868 which will centralize that feature so we don't have to check permissions/ownership in each controller over and over again, and also for each operation will add permission documentation into Swagger. Perhaps opacuserlogin could be considered there and restrict access to this behaviour in every operation, if it is disabled. > Could we make this behaviour optional? I'm not fully sure I understand your concern enough to see why it should have extra optionality, if this behaviour is already enabled in OPAC. If your main concern was opacuserlogin, then I think it is enough to consider it. Are there some other preferences that should also be considered? Thanks for the comment Katrin, very much appreciated! -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
