https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28957
Luis Bataller <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #11 from Luis Bataller <[email protected]> --- We've actually been carrying a local patch for this at Xercode for over a year now, and it's basically David's comment #8 (option 2): an optional plugin hook that lets the plugin say which permissions a given method needs. The gist of it: - run.pl keeps its current default of { plugins => $method }. - If the plugin implements the hook, run.pl calls it (passing the method and the relevant CGI params) and uses whatever it returns as flagsrequired for get_template_and_user. - The hook returns a normal flagsrequired, or undef to fall back to the default. So nothing changes for plugins that don't implement it. On David's worry in comment #10 (plugins just letting anyone do anything): the hook doesn't return allow/deny. It returns a flagsrequired that Koha still checks itself via haspermission()/get_template_and_user. So a plugin can only pick which existing Koha permission guards a method — it can't bypass the check or drop it below "you need some real Koha permission". Enforcement stays in core. It's also a small, low-coupling change: the only file touched is run.pl, and it's fully backwards-compatible — plugins that don't implement the hook behave exactly as before. A year in production has made us pretty confident in it, and we're glad to tidy it up to community standards. One naming thought: David called it koha_authz in comment #8. We'd actually lean towards permissions_required here, since the hook doesn't grant or do any authorization itself. Happy to go with whatever you all prefer, though. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
