https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28957
--- Comment #9 from David Cook <[email protected]> --- (In reply to David Cook from comment #8) > We're stuck in a tricky place. If we want to fix the security, we might have > to break some plugins. Or... We add a system preference. Something like "PluginsStrictPermissions", which requires run.pl to only work with methods "report", "tool", "admin", or "configure". Most plugins should be fitting in this paradigm. For plugins that aren't... they have to disable "PluginsStrictPermissions" and there they read a warning saying they need to either align their permissions with "report", "tool", "admin", or "configure" OR use this new "koha_authz" Koha plugin class method so that they handle permissions on their own. Maybe we start with "ExperimentalPluginsStrictPermissions" and default it to "off" or "warn" where "warn" would generates some warnings (maybe just in the logs) saying that the plugin is using an unconventional method for run.pl. And then in a release or two we change "ExperimentalPluginsStrictPermissions" to "PluginsStrictPermissions" and default it to "on" so people are forced to turn it off or update their plugins. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
