https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39199
--- Comment #6 from David Cook <[email protected]> --- (In reply to David Cook from comment #5) > We need to keep in mind that the API runs on the same domain as the OPAC and > the staff interface. By adding GET /notices we've suddenly opened up all the > emails to a user with the tools subpermissions, so they can look at all > kinds of different user information. > > We've got some pretty fundamental authorization problems in Koha, especially > with the API. We bypass our own permissions/authorizations. We need to remember that convenience and security are opposite ends of the same spectrum. With AI finding security vulnerabilities easier than ever, we don't want to be making unforced errors like this. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
