https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28957
--- Comment #14 from Luis Bataller <[email protected]> --- Comment on attachment 200543 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=200543 Bug 28957: Add permissions_required plugin hook to plugins/run.pl. Review of attachment 200543: --> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=28957&attachment=200543) ----------------------------------------------------------------- Thanks for the pointer! I read through 20813 and the specs posted. The resource/action/scope model with roles is what Koha's permissions need, and it's great to see it moving again. Happy to follow it and help test. It does read like a large though task, so realistically flags will be around for a good while yet. Meanwhile the run.pl problem in 28957 is a live security issue today. The nice thing is our little hook doesn't compete with the RBAC work at all: it only touches run.pl, it's fully backwards-compatiIble, and it can simply be dropped/superseded once the new system lands. So it works as an interim mitigation for the security exposure now, without constraining the RBAC design in any way. If that sounds reasonable, we'd be glad to put up a patch on 28957 for sign-off/QA so someone can review it and decide whether it's worth taking into core as a stopgap. The hook is trivial to exercise — drop a permissions_required method into any plugin. For example, gating the 'tool' method on the catalogue permission instead of the plugins one: sub permissions_required { my ( $self, $args ) = @_; return { catalogue => 1 } if $args->{method} eq 'tool'; return undef; # fall back to the default { plugins => $method } } Then a user with 'catalogue' but without 'plugins' can run the tool method, and the default is unchanged for plugins that don't implement the hook. We also have a small demo plugin we used to test this — happy to share the source if it's useful. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
