https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38050
--- Comment #53 from Martin Renvoize (ashimema) <[email protected]> --- FYI: Bug 43030 adds a generic own-resource (self-access) authorization mechanism to the REST API -- Koha::Object->is_owned_by / Koha::Objects->owned_by, plus an allow-owner flag on x-koha-authorization, so an authenticated caller without the module permission can still access/manage records they own. This bug's admin CRUD endpoints for lists/virtualshelves currently do their own ownership/sharing checks by calling Koha::Virtualshelf's can_be_viewed / can_be_managed / can_be_deleted directly in the controllers (see comment 42, point 3). That's richer than plain ownership -- it also covers sharing and the delete_public_lists permission, which the generic framework in Bug 43030 doesn't attempt to model. Once both bugs have landed, it would be worth a follow-up bug evaluating whether the plain-ownership case here could be expressed via is_owned_by/allow-owner, while keeping can_be_viewed/can_be_managed for the sharing and public-list-permission logic. Not asking to change anything on this bug for that now, just flagging the relationship for whoever picks up the follow-up. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
