https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030

            Bug ID: 43030
           Summary: Add generic own-resource (self-access) authorization
                    to the REST API
   Initiative type: ---
        Sponsorship ---
            status:
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: REST API
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
                CC: [email protected]
  Target Milestone: ---

This patch adds a generic mechanism for REST API endpoints to allow access to a
caller's own resources without requiring the broader module permission (for
example, a staff member managing their own lists, or viewing/editing their own
patron record, without list_borrowers/edit_borrowers).

Today, authorization is all-or-nothing: an endpoint's x-koha-authorization
block requires a specific module permission, with no way to grant reduced
access based on ownership of the record. Several controllers (Lists,
AdvancedEditorMacro, Patrons/Password, Patrons/SelfRenewal) work around this
today with inconsistent, ad hoc ownership checks that do not share a common
implementation.

This patch introduces:
- Koha::Object->is_owned_by($patron) and Koha::Objects->owned_by($patron), a
shared ownership interface implemented per class (identity based for
Koha::Patron, owner field based for Koha::Virtualshelf)
- An allow-owner flag on x-koha-authorization, checked in Koha::REST::V1::Auth,
that admits an authenticated caller lacking the module permission when the
resource is their own
- Koha::REST::Plugin::Objects integration so objects.find and objects.search
enforce/scope by ownership automatically, without each controller
reimplementing the check, and while continuing to support paging, embeds, and
existing query parameters
- Write path guards so a caller admitted only via ownership cannot create a
resource owned by someone else or reassign ownership away from themselves

Permission continues to take priority: a caller who holds the module permission
is unaffected and retains full, unrestricted access exactly as today. Ownership
is only consulted for callers who lack the permission.

Initial scope covers the Lists (virtualshelves) and Patrons endpoints, chosen
to exercise both ownership shapes (owner field and identity match). Other
existing ad hoc self checks are left as follow up work.

Test plan:
1. Apply the patches and run the test suite for the affected modules: prove
t/Koha/Object.t t/Koha/Objects.t t/db_dependent/Koha/Virtualshelves.t
t/db_dependent/Koha/Patrons.t t/db_dependent/api/v1/patrons.t
t/db_dependent/api/v1/lists.t
2. As a staff user without any list/shelf permission, confirm GET /api/v1/lists
returns only your own lists, and GET /api/v1/lists/{id} succeeds for your own
list and returns 403 for someone else's
3. As a staff user without borrowers permissions, confirm GET and PUT
/api/v1/patrons/{patron_id} succeed for your own patron_id and return 403 for
another patron_id
4. As a staff user with the relevant module permission, confirm both endpoints
behave exactly as before (full, unrestricted access)
5. Confirm creating/updating a list while lacking the module permission cannot
set the owner field to another patron

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to