https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #36 from David Cook <[email protected]> --- (In reply to David Cook from comment #35) > As for requiring POST and comment 17 for /svc/authentication... that's a > good point but that is more so an issue with check_api_auth() and changing > that has wide-reaching consequences beyond /svc. (In reply to David Cook from comment #18) > Yeah, that's a problem with check_api_auth(), which I figured was outside > the scope of this particular change. > > I suppose if it's a GET we might be able to delete the credentials out of > the $query object before passing it to check_api_auth(). Without doing a lot > of refactoring, I think we're probably going to be left with a hacky option > like that. Technically, C4::Auth::get_template_and_user() requires a POST and op=cud-login, which works for a CGI script, because that's the first auth related function called. But for /svc scripts (and scripts like them), they call check_api_auth(), so that's the function that would need to be updated. It's unfortunate that it's so wide spread and used in different ways. Practically, we probably could just have check_api_auth() require a POST when it's performing login functionality. But... we're too late in the release cycle for that I think. -- After 24.05 is released, I'd be happy to write a patch that requires POST when check_api_auth() is doing a login. Then we'll have a whole release cycle to find any bugs in that. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
