https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561
Bug ID: 36561
Summary: Inappropriate permission for
"/api/v1/auth/password/validation"
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Web services
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Today I was looking to replace a third-party's usage of ILS-DI
AuthenticatePatron with the REST API's "/api/v1/auth/password/validation", when
I realized that it would mean giving the third-party much greater Koha
permission than they currently have.
"/api/v1/auth/password/validation" requires the "borrowers" permission, which
gives you full access to all borrower data.
I don't think that's what we want to give a third-party that really just needs
to validate that a patron is an authentic member of Koha.
I think that we might need a new permission class. I don't have a perfect name
for it yet, but I'm thinking about it. Here's some ideas:
- Discovery
- External
- API
- Web services
- Third-party
--
That way, we can have third-party API users that are narrowly scoped to just
what they need to do.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
