https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
--- Comment #100 from David Cook <[email protected]> --- I have a different system where I needed to control access to resources based on requesting user. Fortunately, it is a smaller system than Koha with clearer boundaries around the key data, so I focused on the key data. For "single" access, each resource has a method for testing authorization to itself. It takes a requesting user, a policy, a requesting action, and optionally resource attributes for more fine-grained control. Since it's just 1 resource, I could use a lot of logic without having problems with scale/efficiency. For "plural" access, it got more complicated, because I needed to leverage SQL and not code logic. Fortunately, I really only needed to worry about GETs in this context, since I wasn't doing bulk modifications or bulk deletions. For the GETs, I was able to insert extra SQL into the WHERE clause where needed to make sure only resources the requesting user was authorized to see were retrieved from the database. That's probably a lot harder in Koha, especially if we're trying to do it globally. But if we're just trying to restrict what patrons a requesting user can see based on if they're from the same library... that could be a lot easier. It wouldn't feel great having a resource-specific authorization scheme instead of a global one, but it would be a lot easier. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
