http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7804
--- Comment #34 from Jared Camins-Esakov <[email protected]> --- The latest iteration looks a lot better- it closes a couple of the obvious security holes, though there's an unnecessary ScriptAlias line in the httpd.conf that needs to be removed. Here are a couple of comments: * Plugins should extend the Koha::Plugins::Base class, so the run() routine you have in Koha::Plugins::Base should probably be moved to a new class, like Koha::Plugins::Handler * Koha::Plugins::Base needs to save the contents of %args- my inclination would be to just do something simple like: my $self = bless %args, $class; * When Koha::Plugins::Handler passes control over to the plugin, it should also pass a reference to itself, so that the plugin could call Koha::Plugins::Handler->load_plugin($pluginname), or any other helper functions that we might find are needed * checkauth should be run in Koha::Plugins::Handler->run($plugin), which means that one of the parameters passed to every plugin should be a CGI object (this also takes care of getting CGI params to the plugin) * There still need to be separate flags in koha-conf.xml to enable the plugin system generally and uploading plugins from the staff client. The default should be disabled for both. Addressing these six points should take us much of the way toward a safe implementation -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
