https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21300
Bug ID: 21300
Summary: Restriction of ILS-DI webservice to 1st and 2d level
by default
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Web services
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
The Koha wiki describes a way of restricting access to ILS-DI through an Apache
configuration :
https://wiki.koha-community.org/wiki/APIs_and_protocols_supported_by_Koha#ILS-DI
"ILS-DI
ILS-DI is self-documenting, so in an installation where it is enabled, you can
get some information about it at the URL:
http://koha-opac.example.org/cgi-bin/koha/ilsdi.pl
Because ILS-DI gives access to all your data (items, patrons...), it should be
restricted by allowing IP in the admin interface and/or by disabling services
via the server.
For Apache, these rules can be added to restrict public access only to the
first and second levels of ILS-DI:
<IfModule mod_rewrite.c>
# Rewrite Rules
RewriteEngine On
# Restricted ILS-DI Access
RewriteCond %{QUERY_STRING}
!(^($|(\??|(.*&))service=(Describe|GetAvailability|GetRecords|GetAuthorityRecords)))
RewriteRule ^/cgi-bin/koha/ilsdi\.pl$ - [R=403,L]
</IfModule>
Because an IP can be easily spoofed, the second way is recommanded."
This would be great to have this restriction setup by default when installing
Koha, and to have the possibility to open level 3 and 4 of ILS-DI only if
needed.
This would be more compliant with GDPR (see bug 18081).
Thanks
Anne-Claire
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
