https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41768
--- Comment #18 from David Cook <[email protected]> --- (In reply to Arthur Suzuki from comment #16) > (In reply to David Cook from comment #15) > > (In reply to Arthur Suzuki from comment #14) > > Yeah, you might have a point. I'm working on a different bug where someone > > added a public endpoint to be used for both the staff interface and the > > OPAC. I'm not sure what I think of it yet. > > Can you give me the bug number? I can't at present. > > That being said, I thought pickup locations were scoped to individual users. > > Indeed if you look at Koha/REST/V1/Biblios.pm you can see that it takes a > > patron_id and public endpoints shouldn't allow people to provide a > > patron_id. It would need to take the logged in user's patron_id. > > > > Yes, it needs the patron ID, but is that really a problem? it's not like the > output/reply gives any personal data about the patron so, in that specific > use-case is that a problem? Yes, it's a problem, because you're allowing an unauthorised action against a different patron. Even if the impact is considered trivial, it's still an unauthorised release of information. It's a problem. > > You mean like the following? > > /api/v1/public/libraries/{library_id} > > /api/v1/libraries/{library_id} > > > > /api/v1/public/items > > /api/v1/items > > > > /api/v1/public/oauth/login/{provider_code}/{interface} > > /api/v1/oauth/login/{provider_code}/{interface} > > Yes, I know that already exists but why? could be only the public endpoint > imo I know you think that but I disagree. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
