https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20627
Bug ID: 20627
Summary: Prevent leakages of user permissions to api access
tokens
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: new feature
Priority: P5 - low
Component: Authentication
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected], [email protected],
[email protected], [email protected],
[email protected], [email protected]
Depends on: 20568
Blocks: 20612, 20624
Bug #20568 allow users to create API access tokens, but it always associates
all a users permissions with that access token and additionally if that user
comes to have more permissions down the line those additional permissions are
automagically added to the access token as well. This is generally bad practice
for access tokens as in general, they should be of a definite scope and any
time additional privileges are required the client application should have to
ask for them and receive a new token with the additional privileges assigned to
it.
Referenced Bugs:
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20568
[Bug 20568] Add API key management interface for patrons
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20612
[Bug 20612] Make OAuth2 use patron's client_id/secret pairs
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20624
[Bug 20624] Allow switching off the OAuth2 client credentials grant
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
