[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Fridolin Somers changed: What|Removed |Added Status|Pushed to master|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Fridolin Somers changed: What|Removed |Added CC||fridolin.som...@biblibre.co ||m --- Comment #195 from Fridolin Somers --- Does not apply easy on 23.05.x Please provided rebased patches or a branch if needed -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Andrii Nugged changed: What|Removed |Added CC||nug...@gmail.com --- Comment #194 from Andrii Nugged --- (In reply to Tomás Cohen Arazi from comment #193) > Some tests compare things to the output of `->to_api` and are exploding > because the (now mandatory) `user` parameter is not passed in the call. ... just came to confirm that - the current master has broken mine APIs' for my VuFind (Finna) on preproduction tests. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #193 from Tomás Cohen Arazi --- Created attachment 158013 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=158013=edit Bug 29523: Fix tests Some tests compare things to the output of `->to_api` and are exploding because the (now mandatory) `user` parameter is not passed in the call. In the case of IdP.t I just got rid of the use of `to_api` as we are just trying to acknowledge a new user has been created and the API representation of it is irrelevant. Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #192 from Tomás Cohen Arazi --- Pushed to master for 23.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Tomás Cohen Arazi changed: What|Removed |Added Status|Passed QA |Pushed to master Version(s)||23.11.00 released in|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #191 from Tomás Cohen Arazi --- (In reply to Marcel de Rooy from comment #190) > QA Comment: > > Great work. We have a base to build further. We might still improve on > details? To infinity, and beyond! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Status|BLOCKED |Passed QA --- Comment #190 from Marcel de Rooy --- QA Comment: Great work. We have a base to build further. We might still improve on details? [1] The code around strings, embeds and related permissions is not simple. We could perhaps add some more comments. Maintenance might get harder along the way. For instance, we trust on the recursion in to_api via the child calls in the embeds loop. But who still remembers that a year later? [2] We could still extend the unit tests by showing that the approach really works with embed. I tested biblios/checkouts with embed patron on the API versus patrons to see if it worked for a less privileged staff user. [3] Based on the unredact_list we may be nulling some columns. Developers should be aware of mismatches with swagger specifications. See earlier examples. [4] Still wondering if we should combine public_read_list with accessible + unredact_list for the public interface. Note that we do now, is safer since we might still null some fields (theoretically). But the result is harder to grasp. [5 ] Some unit tests are not at the highest tidy level. Given the history and complexity, I gladly ignore that here. WARN t/db_dependent/Koha/REST/Plugin/Objects.t WARN tidiness The file is less tidy than before (bad/messy lines before: 295, now: 303) WARN t/db_dependent/api/v1/acquisitions_baskets.t WARN tidiness The file is less tidy than before (bad/messy lines before: 10, now: 14) WARN t/db_dependent/api/v1/acquisitions_funds.t WARN tidiness The file is less tidy than before (bad/messy lines before: 35, now: 45) WARN t/db_dependent/api/v1/patrons.t WARN tidiness The file is less tidy than before (bad/messy lines before: 258, now: 263) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #189 from Marcel de Rooy --- Changing status after adding a QA comment. Hang on -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #188 from Marcel de Rooy --- Created attachment 157893 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157893=edit Bug 29523: (follow-up) Adding documentation to swagger.yaml Signed-off-by: Martin Renvoize Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157799|0 |1 is obsolete|| --- Comment #187 from Marcel de Rooy --- Created attachment 157892 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157892=edit Bug 29523: (follow-up) Comprehensive tests for redaction Signed-off-by: Martin Renvoize Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157416|0 |1 is obsolete|| --- Comment #186 from Marcel de Rooy --- Created attachment 157891 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157891=edit Bug 29523: Add redaction for inaccessible objects This patch switches from removing inaccessible items from the responses to instead redacting fields in innaccessible responses. This allows for embed traversal and keeps counts etc correct but also hides the data we want to hide. We add support for an 'unredact_list' method at the Koha::* class level allowing for individual classes to specify which fields they wish to expose to restricted users regardless of their restriction. It is to be used in combination with the is_accessible method introduced earlier in this patchset which is used to denote whether the current user should be allowed to see the full record or only a subset of it as defined in the unredacted_list. We undefine any fields not listed in the unredact_list for the API response. This has the effect of still returning the full object of keys, but setting most fields to a JSON null. Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157415|0 |1 is obsolete|| --- Comment #185 from Marcel de Rooy --- Created attachment 157890 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157890=edit Bug 29523: Remove no longer required methods Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157414|0 |1 is obsolete|| --- Comment #184 from Marcel de Rooy --- Created attachment 157889 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157889=edit Bug 29523: Remove the FIXME This patch works through the unit tests and existing code to allow removal of the FIXME I introduced earlier in the patchset. We now require the `user` parameter be passed to `is_accessible` which in turn makes `user` a required parameter for `to_api` in the `Koha::Patron` case. Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157413|0 |1 is obsolete|| --- Comment #183 from Marcel de Rooy --- Created attachment 157888 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157888=edit Bug 29523: Cache the restricted branches list This patch introduces a very localised cache of the restricted branches list in the logged in patron object. Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157412|0 |1 is obsolete|| --- Comment #182 from Marcel de Rooy --- Created attachment 157887 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157887=edit Bug 29523: Pass the logged user around and use for validating In this patch I add 'user', containing the Koha::Patron object for the logged in user in the params hash we pass around in to_api. I then use that in a new 'is_accessible' method added to Koha::Patron. The new method is really the equivilent of 'search_limited' in the plural class and could perhaps be renamed 'is_limited' or something clearer for the singular form 'is_filtered' or 'fitler_for_api' or something? Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157411|0 |1 is obsolete|| --- Comment #181 from Marcel de Rooy --- Created attachment 157886 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157886=edit Bug 29523: (QA follow-up) Fix failing test in club holds With this patch series, all singular objects need to 'use' their plural counterparts.. otherwise the parent can't find search_related. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157410|0 |1 is obsolete|| --- Comment #180 from Marcel de Rooy --- Created attachment 157885 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157885=edit Bug 29523: (QA follow-up) Catch remaining SUPER::to_api cases Koha::Object->to_api can now return undefined.. we should be catching that cases in all post manipulation cases. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157409|0 |1 is obsolete|| --- Comment #179 from Marcel de Rooy --- Created attachment 157884 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157884=edit Bug 29523: Make Koha::Object->to_api respect accessibility This patch makes the *to_api* method honour the accessibility check for the object. This is relevant in the context of embedding single objects. The Koha::Patron->to_api method is adjusted to reflect this behavior as well (it does some manipulation after the ->to_api call and we need to prevent it). To test: 1. Apply up to the regression tests 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => FAIL: A patron, that shouldn't be accessed, is returned by ->to_api 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 6. Pick Henry Acevedo from the sample data, assign him 'catalogue' permissions and a know user/password combination 7. Enable basic authentication 8. Point your favourite tool (Postman?) to GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts Set the following header: x-koha-embed: patron Pick whatever biblio you want, actually. => SUCCESS: No checkouts 9. Perform a couple checkouts on the chosen biblio. Make sure one checkout is for a patron on the same library as Henry, and the other on a different one. 10. Repeat 8 => SUCCESS: You see two checkouts. One of them has an attribute 'patron' containing the patron from Henry's library. The other, has the attribute set to 'null'. 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157408|0 |1 is obsolete|| --- Comment #178 from Marcel de Rooy --- Created attachment 157883 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157883=edit Bug 29523: Regression tests Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157407|0 |1 is obsolete|| --- Comment #177 from Marcel de Rooy --- Created attachment 157882 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157882=edit Bug 29523: Add Koha::Object->accessible This patch introduces a method for checking if an object can be retrieved by the current user. It depends on the plural class implementation of the ->search_limited method. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Attachment #157406|0 |1 is obsolete|| --- Comment #176 from Marcel de Rooy --- Created attachment 157881 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157881=edit Bug 29523: Add Koha::Objects->search_limited stub method This method is just a passthru to the search method. It is defined here to avoid the need to check if each class implements it. Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #175 from Marcel de Rooy --- (In reply to Marcel de Rooy from comment #174) > Short description of my problem with embeds now: > > /api/v1/biblios/1/checkouts with x-koha-embed==patron > Get complete patron 1 > For this same staff user > /api/v1/patrons/1 gives a 403 > Since he has not edit_borrowers This comment is wrong! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #174 from Marcel de Rooy --- Short description of my problem with embeds now: /api/v1/biblios/1/checkouts with x-koha-embed==patron Get complete patron 1 For this same staff user /api/v1/patrons/1 gives a 403 Since he has not edit_borrowers -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #173 from Marcel de Rooy --- Will continue tomorrow morning here -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #157683|0 |1 is obsolete|| --- Comment #172 from Martin Renvoize --- Created attachment 157799 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157799=edit Bug 29523: (follow-up) Comprehensive tests for redaction Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #171 from Martin Renvoize --- Yeah.. I wasn't sure if this should be embed only or not in the end.. as highlighted by my comment above > I believe we still return a 404 should they try to retrieve such a borrower > directly however..? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #170 from Martin Renvoize --- Hmmm.. I hadn't really tested public and accessible together. The real use case for the accessible stuff here is staff side where a staff user can expect the same overall representation for all objects that exist but they amy not have the right to see all the data. Whereas 'public' is about thrid party facing api's where they will never see some of the fields at all so the object representation is actually different. 'Public' removes fields outright.. and really should have it's own schema's. 'Accessible' redacts the values of fields, but leaves the keys present so the object itself is a consistent representation. No.. for your errors in particular. 'Expected string - got null' - If this were a staff side request I'd say that highlights an issue in our schema.. with this patch, the majority of fields should actually be 'type or null' in the schema's. For the public side, I'm less sure. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #169 from Marcel de Rooy --- [14:14] marcelr, ashimema: maybe "unredacted" should only be use for "embed" -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #168 from Marcel de Rooy --- Waiting for feedback now. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #167 from Marcel de Rooy --- Thinking about it: The whole thing is that we create some sort of redundancy. If we do not really check if the swagger spec allows a null or a missing column, we can get very easily in trouble like the above. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #166 from Marcel de Rooy --- And note that when I change is_accessible to 1, the api responds :) But I do not get my branchcountry. It is not on public list, but it is in the unredact_list. It this really intuitive? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #165 from Marcel de Rooy --- Just hacking Koha::Library a bit to test things: API crashes with 500: [2023/10/24 11:46:55] [WARN] OpenAPI >>> GET api/v1/public/libraries [{"message":"Expected string - got null.","path":"\/body\/0\/name"},{"message":"Expected string - got null.","path":"\/body\/1\/name"},{"message":"Expected string - got null.","path":"\/body\/10\/name"},{"message":"Expected string - got null.","path":"\/body\/11\/name"},{"message":"Expected string - got null.","path":"\/body\/12\/name"},{"message":"Expected string - got null.","path":"\/body\/2\/name"},{"message":"Expected string - got null.","path":"\/body\/3\/name"},{"message":"Expected string - got null.","path":"\/body\/4\/name"},{"message":"Expected string - got null.","path":"\/body\/5\/name"},{"message":"Expected string - got null.","path":"\/body\/6\/name"},{"message":"Expected string - got null.","path":"\/body\/7\/name"},{"message":"Expected string - got null.","path":"\/body\/8\/name"},{"message":"Expected string - got null.","path":"\/body\/9\/name"}] What did I do? 1) public_read_list (Remove country) -'branchcity', 'branchstate','branchcountry', +'branchcity', 'branchstate', 2) Add a not accessible condition: +sub is_accessible { return 0; } 3) Add two fields on unredact_list +sub unredact_list { return [ 'branchcode', 'branchcountry' ]; } Please explain to me why the API crashes? I would expect a record where I can see the two unredacted fields on anonymous acces via public. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #164 from Marcel de Rooy --- Resuming here -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #163 from Martin Renvoize --- Regarding permissions.. So long as your user does not have 'view_borrower_infos_from_any_libraries' permission and they're not in a library group with other libraries and permission to view users within the group.. said user should receive a redacted copy of any user who resides in another library than their own when fetching them from the API via a search or an embed. (I believe we still return a 404 should they try to retrieve such a borrower directly however..?) So.. in short.. create a user (patron A) in one library with the catalogue permission only. Create some other patrons in other libraries. Test the API using patron A for login and confirm that your other patrons are returned in a redacted form (with most fields set to 'null' in the json response). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #157679|0 |1 is obsolete|| --- Comment #162 from Martin Renvoize --- Created attachment 157683 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157683=edit Bug 29523: (follow-up) Comprehensive tests for redaction Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #157673|0 |1 is obsolete|| --- Comment #161 from Martin Renvoize --- Created attachment 157679 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157679=edit Bug 29523: (follow-up) Comprehensive tests for redaction Signed-off-by: Martin Renvoize -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #160 from Martin Renvoize --- Created attachment 157673 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157673=edit Bug 29523: (follow-up) Comprehensive tests for redaction -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #159 from Jonathan Druart --- > Do you have a real life example to test on the REST API. Which endpoint, > which embed. Which permissions? Etc? Bug 33568 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #158 from Marcel de Rooy --- Okay, this looks very good to me in general. But I am not yet convinced about the last patch with just these test lines: -is( ref($patron_1->to_api({ user => $patron })), 'HASH', 'Returns the object hash' ); -is( $patron_2->to_api({ user => $patron }), undef, 'Not accessible, returns undef' ); +is( +$patron_1->to_api( { user => $patron } )->{firstname}, $patron_1->firstname, +'Returns unredacted object hash' +); +is( $patron_2->to_api( { user => $patron } )->{firstname}, undef, 'Returns redacted object hash' ); This is all or nothing. But I would like to see the clear difference where a patron can see some columns because of unredact and when he is not. Since patron->unredact_list now only contains branchcode, please show that? You could mock unredact_list and show more? Please still extend this unit test a little bit. Do you have a real life example to test on the REST API. Which endpoint, which embed. Which permissions? Etc? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #157 from Marcel de Rooy --- Will come back here next week to resume. Still want to test some things. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #156 from Marcel de Rooy --- (In reply to Martin Renvoize from comment #154) > Basically we need a fresh Koha::Patron object so that we flush the object > level micro cache that was introduced in the patch (the micro cache was > introduced to improve performance when this is called in a large loop, for > example an embed call with many related objects being returned). I don't > think we can do a simple discard_changes as that only flushes the dbic level > result cache and not the localised object caching we employ here. Clear. > It's a good question.. I ran the full api test suit and ripgrepped for > to_api manually too. Not sure there's an easy way to automate further. > What we really need is for anywhere patron can be embedded in the API > schema, for there to be a corresponding api unit test.. I think when I last > checked that was a pretty solid assumption.. but that may have changed since. Looking at for instance (Koha/REST/Plugin/Objects.pm): $app->helper( 'objects.find' => sub { my ( $c, $result_set, $id ) = @_; my $object = $c->objects->find_rs( $result_set, $id ); return unless $object; return $c->objects->to_api($object); } ); So what if the object is a patron? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #155 from Marcel de Rooy --- (In reply to Martin Renvoize from comment #154) > I'm open to a name change.. initially I thought 'unredact' felt silly too > when Jonathan first introduced it.. but I came to the conclusion it made > sense.. we now encourage 'allow lists' rather than 'deny lists' to default > to secure. So it's literally a list of those fields we don't want to redact > rather than having to list the one's we do. Wont ask for a new name here. Just looked it up. It is something like uncensored. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #154 from Martin Renvoize --- (In reply to Marcel de Rooy from comment #152) > Just a few dumb questions: > > Name unredact_list Where does this name originate from ? I'm open to a name change.. initially I thought 'unredact' felt silly too when Jonathan first introduced it.. but I came to the conclusion it made sense.. we now encourage 'allow lists' rather than 'deny lists' to default to secure. So it's literally a list of those fields we don't want to redact rather than having to list the one's we do. > > > +$patron_11_1 = Koha::Patrons->find( $patron_11_1->borrowernumber ); > Added a few times. This seems not needed? Why do you add it? Basically we need a fresh Koha::Patron object so that we flush the object level micro cache that was introduced in the patch (the micro cache was introduced to improve performance when this is called in a large loop, for example an embed call with many related objects being returned). I don't think we can do a simple discard_changes as that only flushes the dbic level result cache and not the localised object caching we employ here. > > t/db_dependent/Koha/REST/Plugin/Objects.t > - $builder->build_object( { class => 'Koha::Patrons', value => { flags > => 1 } } ); > + $builder->build_object( { class => 'Koha::Patrons', value => { flags > => 0 } } ); > => If I set the user to no permissions, the test still PASSes. Can you point > me to an example in the tests where we can actually see the difference, i.e. > where flags makes a difference? Good question.. I'll have to have a dig on that one.. it's long enough ago in my memory that I'm strugglig to remember the test logic in this case. > How do we make sure that we did not forget some calls of patron->to_api with > user parameter ? It's a good question.. I ran the full api test suit and ripgrepped for to_api manually too. Not sure there's an easy way to automate further. What we really need is for anywhere patron can be embedded in the API schema, for there to be a corresponding api unit test.. I think when I last checked that was a pretty solid assumption.. but that may have changed since. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #153 from Marcel de Rooy --- (In reply to Marcel de Rooy from comment #152) > t/db_dependent/Koha/REST/Plugin/Objects.t > - $builder->build_object( { class => 'Koha::Patrons', value => { flags > => 1 } } ); > + $builder->build_object( { class => 'Koha::Patrons', value => { flags > => 0 } } ); This is around here @@ -425,7 +425,7 @@ subtest 'objects.search helper with query parameter' => sub { -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #152 from Marcel de Rooy --- Just a few dumb questions: Name unredact_list Where does this name originate from ? +$patron_11_1 = Koha::Patrons->find( $patron_11_1->borrowernumber ); Added a few times. This seems not needed? Why do you add it? t/db_dependent/Koha/REST/Plugin/Objects.t - $builder->build_object( { class => 'Koha::Patrons', value => { flags => 1 } } ); + $builder->build_object( { class => 'Koha::Patrons', value => { flags => 0 } } ); => If I set the user to no permissions, the test still PASSes. Can you point me to an example in the tests where we can actually see the difference, i.e. where flags makes a difference? How do we make sure that we did not forget some calls of patron->to_api with user parameter ? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Marcel de Rooy changed: What|Removed |Added Status|Signed Off |BLOCKED --- Comment #151 from Marcel de Rooy --- QA: Looking here now -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #150 from Marcel de Rooy --- (In reply to Jonathan Druart from comment #149) > I have rebased bug 33568 on top of this last iteration and everything is > working as expected. Thanks! > > I am adding my signoff, but letting Marcel adding his finaly QA stamp (more > eyes the better on this one). Willing to look at this tomorrow. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #149 from Jonathan Druart --- I have rebased bug 33568 on top of this last iteration and everything is working as expected. Thanks! I am adding my signoff, but letting Marcel adding his finaly QA stamp (more eyes the better on this one). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #148 from Jonathan Druart --- Created attachment 157416 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157416=edit Bug 29523: Add redaction for inaccessible objects This patch switches from removing inaccessible items from the responses to instead redacting fields in innaccessible responses. This allows for embed traversal and keeps counts etc correct but also hides the data we want to hide. We add support for an 'unredact_list' method at the Koha::* class level allowing for individual classes to specify which fields they wish to expose to restricted users regardless of their restriction. It is to be used in combination with the is_accessible method introduced earlier in this patchset which is used to denote whether the current user should be allowed to see the full record or only a subset of it as defined in the unredacted_list. We undefine any fields not listed in the unredact_list for the API response. This has the effect of still returning the full object of keys, but setting most fields to a JSON null. Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #147 from Jonathan Druart --- Created attachment 157415 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157415=edit Bug 29523: Remove no longer required methods Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #146 from Jonathan Druart --- Created attachment 157414 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157414=edit Bug 29523: Remove the FIXME This patch works through the unit tests and existing code to allow removal of the FIXME I introduced earlier in the patchset. We now require the `user` parameter be passed to `is_accessible` which in turn makes `user` a required parameter for `to_api` in the `Koha::Patron` case. Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #145 from Jonathan Druart --- Created attachment 157413 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157413=edit Bug 29523: Cache the restricted branches list This patch introduces a very localised cache of the restricted branches list in the logged in patron object. Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #144 from Jonathan Druart --- Created attachment 157412 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157412=edit Bug 29523: Pass the logged user around and use for validating In this patch I add 'user', containing the Koha::Patron object for the logged in user in the params hash we pass around in to_api. I then use that in a new 'is_accessible' method added to Koha::Patron. The new method is really the equivilent of 'search_limited' in the plural class and could perhaps be renamed 'is_limited' or something clearer for the singular form 'is_filtered' or 'fitler_for_api' or something? Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #143 from Jonathan Druart --- Created attachment 157411 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157411=edit Bug 29523: (QA follow-up) Fix failing test in club holds With this patch series, all singular objects need to 'use' their plural counterparts.. otherwise the parent can't find search_related. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #142 from Jonathan Druart --- Created attachment 157410 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157410=edit Bug 29523: (QA follow-up) Catch remaining SUPER::to_api cases Koha::Object->to_api can now return undefined.. we should be catching that cases in all post manipulation cases. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #141 from Jonathan Druart --- Created attachment 157409 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157409=edit Bug 29523: Make Koha::Object->to_api respect accessibility This patch makes the *to_api* method honour the accessibility check for the object. This is relevant in the context of embedding single objects. The Koha::Patron->to_api method is adjusted to reflect this behavior as well (it does some manipulation after the ->to_api call and we need to prevent it). To test: 1. Apply up to the regression tests 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => FAIL: A patron, that shouldn't be accessed, is returned by ->to_api 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 6. Pick Henry Acevedo from the sample data, assign him 'catalogue' permissions and a know user/password combination 7. Enable basic authentication 8. Point your favourite tool (Postman?) to GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts Set the following header: x-koha-embed: patron Pick whatever biblio you want, actually. => SUCCESS: No checkouts 9. Perform a couple checkouts on the chosen biblio. Make sure one checkout is for a patron on the same library as Henry, and the other on a different one. 10. Repeat 8 => SUCCESS: You see two checkouts. One of them has an attribute 'patron' containing the patron from Henry's library. The other, has the attribute set to 'null'. 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #140 from Jonathan Druart --- Created attachment 157408 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157408=edit Bug 29523: Regression tests Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #139 from Jonathan Druart --- Created attachment 157407 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157407=edit Bug 29523: Add Koha::Object->accessible This patch introduces a method for checking if an object can be retrieved by the current user. It depends on the plural class implementation of the ->search_limited method. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Jonathan Druart changed: What|Removed |Added Attachment #157071|0 |1 is obsolete|| Attachment #157072|0 |1 is obsolete|| Attachment #157073|0 |1 is obsolete|| Attachment #157074|0 |1 is obsolete|| Attachment #157075|0 |1 is obsolete|| Attachment #157076|0 |1 is obsolete|| Attachment #157077|0 |1 is obsolete|| Attachment #157078|0 |1 is obsolete|| Attachment #157079|0 |1 is obsolete|| Attachment #157080|0 |1 is obsolete|| Attachment #157081|0 |1 is obsolete|| --- Comment #138 from Jonathan Druart --- Created attachment 157406 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157406=edit Bug 29523: Add Koha::Objects->search_limited stub method This method is just a passthru to the search method. It is defined here to avoid the need to check if each class implements it. Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Status|In Discussion |Signed Off --- Comment #137 from Martin Renvoize --- Rebased and squashed some bits.. tidied the PM's to get the QA scripts happy and run the test suit. There's still some QA issues around tidyness of tests though. I think this is a good resolution at this point.. we could squash some more, but I wasn't sure whether to leave the patches for visibility of thought process and effort that's gone into this by all the verious parties. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #157049|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156949|0 |1 is obsolete|| --- Comment #136 from Martin Renvoize --- Created attachment 157081 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157081=edit Bug 29523: Add redaction for inaccessible objects This patch switches from removing inaccessible items from the responses to instead redacting fields in innaccessible responses. This allows for embed traversal and keeps counts etc correct but also hides the data we want to hide. We add support for an 'unredact_list' method at the Koha::* class level allowing for individual classes to specify which fields they wish to expose to restricted users regardless of their restriction. It is to be used in combination with the is_accessible method introduced earlier in this patchset which is used to denote whether the current user should be allowed to see the full record or only a subset of it as defined in the unredacted_list. We undefine any fields not listed in the unredact_list for the API response. This has the effect of still returning the full object of keys, but setting most fields to a JSON null. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156948|0 |1 is obsolete|| --- Comment #135 from Martin Renvoize --- Created attachment 157080 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157080=edit Bug 29523: Remove no longer required methods -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156947|0 |1 is obsolete|| --- Comment #134 from Martin Renvoize --- Created attachment 157079 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157079=edit Bug 29523: Remove the FIXME This patch works through the unit tests and existing code to allow removal of the FIXME I introduced earlier in the patchset. We now require the `user` parameter be passed to `is_accessible` which in turn makes `user` a required parameter for `to_api` in the `Koha::Patron` case. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156946|0 |1 is obsolete|| --- Comment #133 from Martin Renvoize --- Created attachment 157078 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157078=edit Bug 29523: Cache the restricted branches list This patch introduces a very localised cache of the restricted branches list in the logged in patron object. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156945|0 |1 is obsolete|| --- Comment #132 from Martin Renvoize --- Created attachment 157077 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157077=edit Bug 29523: Pass the logged user around and use for validating In this patch I add 'user', containing the Koha::Patron object for the logged in user in the params hash we pass around in to_api. I then use that in a new 'is_accessible' method added to Koha::Patron. The new method is really the equivilent of 'search_limited' in the plural class and could perhaps be renamed 'is_limited' or something clearer for the singular form 'is_filtered' or 'fitler_for_api' or something? Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156944|0 |1 is obsolete|| --- Comment #131 from Martin Renvoize --- Created attachment 157076 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157076=edit Bug 29523: (QA follow-up) Fix failing test in club holds With this patch series, all singular objects need to 'use' their plural counterparts.. otherwise the parent can't find search_related. Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156943|0 |1 is obsolete|| --- Comment #130 from Martin Renvoize --- Created attachment 157075 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157075=edit Bug 29523: (QA follow-up) Catch remaining SUPER::to_api cases Koha::Object->to_api can now return undefined.. we should be catching that cases in all post manipulation cases. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156942|0 |1 is obsolete|| --- Comment #129 from Martin Renvoize --- Created attachment 157074 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157074=edit Bug 29523: Make Koha::Object->to_api respect accessibility This patch makes the *to_api* method honour the accessibility check for the object. This is relevant in the context of embedding single objects. The Koha::Patron->to_api method is adjusted to reflect this behavior as well (it does some manipulation after the ->to_api call and we need to prevent it). To test: 1. Apply up to the regression tests 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => FAIL: A patron, that shouldn't be accessed, is returned by ->to_api 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 6. Pick Henry Acevedo from the sample data, assign him 'catalogue' permissions and a know user/password combination 7. Enable basic authentication 8. Point your favourite tool (Postman?) to GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts Set the following header: x-koha-embed: patron Pick whatever biblio you want, actually. => SUCCESS: No checkouts 9. Perform a couple checkouts on the chosen biblio. Make sure one checkout is for a patron on the same library as Henry, and the other on a different one. 10. Repeat 8 => SUCCESS: You see two checkouts. One of them has an attribute 'patron' containing the patron from Henry's library. The other, has the attribute set to 'null'. 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156941|0 |1 is obsolete|| --- Comment #128 from Martin Renvoize --- Created attachment 157073 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157073=edit Bug 29523: Regression tests Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156940|0 |1 is obsolete|| --- Comment #127 from Martin Renvoize --- Created attachment 157072 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157072=edit Bug 29523: Add Koha::Object->accessible This patch introduces a method for checking if an object can be retrieved by the current user. It depends on the plural class implementation of the ->search_limited method. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156939|0 |1 is obsolete|| --- Comment #126 from Martin Renvoize --- Created attachment 157071 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157071=edit Bug 29523: Add Koha::Objects->search_limited stub method This method is just a passthru to the search method. It is defined here to avoid the need to check if each class implements it. Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #125 from Martin Renvoize --- Running tests and doing a little squashing here at the moment.. should be ready for a final QA run imminently. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #156965|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #124 from Martin Renvoize --- Created attachment 157049 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=157049=edit Bug 29523: Add support for 'unredact_list' This patch adds support for an 'unredact_list' method at the Koha::* class level allowing for individual classes to specify which fields they wish to expose to restricted users regardless of their restriction. It is to be used in combination with the is_accessible method introduced earlier in this patchset which is used to denote whether the current user should be allowed to see the full record or only a subset of it as defined in the unredacted_list. We undefine any fields not listed in the unredact_list for the API response. This has the effect of still returning the full object of keys, but setting most fields to a JSON null. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #123 from Jonathan Druart --- (In reply to Jonathan Druart from comment #122) > (In reply to Jonathan Druart from comment #121) > > Almost "good enough for now" for me. However I am seeing "Checked out to > > # # (#) #: due 10/17/2023" with the same patch I used > > previously. > > I don't think having a pattern # is a good idea. > > And "#" is not valid for dates, or integers, etc. New version that is working for me on https://gitlab.com/joubu/Koha/-/commit/b72d69e3e083167e3e3dcaf8c453cf15217b7193 Still not correct because of the above "" is not valid for booleans, integers, etc. I am feeling a bit stuck. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #122 from Jonathan Druart --- (In reply to Jonathan Druart from comment #121) > Almost "good enough for now" for me. However I am seeing "Checked out to > # # (#) #: due 10/17/2023" with the same patch I used > previously. > I don't think having a pattern # is a good idea. And "#" is not valid for dates, or integers, etc. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #121 from Jonathan Druart --- Almost "good enough for now" for me. However I am seeing "Checked out to # # (#) #: due 10/17/2023" with the same patch I used previously. I don't think having a pattern # is a good idea. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #120 from Martin Renvoize --- Created attachment 156965 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156965=edit Bug 29523: WIP - Add support for 'unredact_list' This work in progress patch adds support for an 'unredact_list' method to be added at the Koha::* class level allowing for individual classes to specify which fields they wish to expose to restricted users regardless. It drops the type handling as we move from TO_JSON to to_api.. I'm considering whether we should really be moving both public and redaction handling into TO_JSON as apposed to to_api... but it adds complication to the strings mapping -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #119 from Jonathan Druart --- This patch does not answer the need I have on bug 33568. I need a redacted version of the object, not to hide all the fields. The use case is: Display who has checked out of the item to a librarian who does not have the permission to see the patron's info. In this case we want to display "A user from Centerville" So the response should contain checkout.patron = { branchcode => "CPL" } -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #118 from Martin Renvoize --- (In reply to Jonathan Druart from comment #106) > > I have written a quick follow-up on top of bug_33568 (that is based on top > > of this one): > > https://gitlab.com/joubu/Koha/-/commit/ > > 75b8cd39135966d2ea1b8a48df9aec4a3254d0d5 > > > > Would that work? > > One thing that is not really nice is that, in Koha::Patron::to_api we are > now having a json_patron and so not early returning, and we get 'restricted' > in the response whereas the unredacted version should not contain it. But > that would mean another call to is_accessible. I've rebased the patchset and used your follow-up for inspiration but written my own version. Instead of returning an empty hash I've bound the redaction inside our TO_JSON method and replace the column values with redaction replacements.. I'm not sure if this is better or worse. Also.. as you've highlighted we'll need to deal with overloaded to_api methods somehow as they often add in data after an inititial to_api call and we can also switch remove the code that looks for undefined again if we go with either of these redaction techniques instead. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #117 from Martin Renvoize --- Created attachment 156949 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156949=edit Bug 29523: Add redaction for inaccessible objects This patch switches from removing inaccessible items from the responses to instead redacting all the core fields in innaccessible responses. This allows for embed traversal and keeps counts etc correct but also hides the data we want to hide. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150998|0 |1 is obsolete|| --- Comment #116 from Martin Renvoize --- Created attachment 156948 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156948=edit Bug 29523: Remove no longer required methods -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150997|0 |1 is obsolete|| --- Comment #115 from Martin Renvoize --- Created attachment 156947 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156947=edit Bug 29523: Remove the FIXME This patch works through the unit tests and existing code to allow removal of the FIXME I introduced earlier in the patchset. We now require the `user` parameter be passed to `is_accessible` which in turn makes `user` a required parameter for `to_api` in the `Koha::Patron` case. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150996|0 |1 is obsolete|| --- Comment #114 from Martin Renvoize --- Created attachment 156946 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156946=edit Bug 29523: Cache the restricted branches list This patch introduces a very localised cache of the restricted branches list in the logged in patron object. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150995|0 |1 is obsolete|| --- Comment #113 from Martin Renvoize --- Created attachment 156945 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156945=edit Bug 29523: Pass the logged user around and use for validating In this patch I add 'user', containing the Koha::Patron object for the logged in user in the params hash we pass around in to_api. I then use that in a new 'is_accessible' method added to Koha::Patron. The new method is really the equivilent of 'search_limited' in the plural class and could perhaps be renamed 'is_limited' or something clearer for the singular form 'is_filtered' or 'fitler_for_api' or something? Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150994|0 |1 is obsolete|| --- Comment #112 from Martin Renvoize --- Created attachment 156944 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156944=edit Bug 29523: (QA follow-up) Fix failing test in club holds With this patch series, all singular objects need to 'use' their plural counterparts.. otherwise the parent can't find search_related. Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150993|0 |1 is obsolete|| --- Comment #111 from Martin Renvoize --- Created attachment 156943 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156943=edit Bug 29523: (QA follow-up) Catch remaining SUPER::to_api cases Koha::Object->to_api can now return undefined.. we should be catching that cases in all post manipulation cases. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150992|0 |1 is obsolete|| --- Comment #110 from Martin Renvoize --- Created attachment 156942 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156942=edit Bug 29523: Make Koha::Object->to_api respect accessibility This patch makes the *to_api* method honour the accessibility check for the object. This is relevant in the context of embedding single objects. The Koha::Patron->to_api method is adjusted to reflect this behavior as well (it does some manipulation after the ->to_api call and we need to prevent it). To test: 1. Apply up to the regression tests 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => FAIL: A patron, that shouldn't be accessed, is returned by ->to_api 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 6. Pick Henry Acevedo from the sample data, assign him 'catalogue' permissions and a know user/password combination 7. Enable basic authentication 8. Point your favourite tool (Postman?) to GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts Set the following header: x-koha-embed: patron Pick whatever biblio you want, actually. => SUCCESS: No checkouts 9. Perform a couple checkouts on the chosen biblio. Make sure one checkout is for a patron on the same library as Henry, and the other on a different one. 10. Repeat 8 => SUCCESS: You see two checkouts. One of them has an attribute 'patron' containing the patron from Henry's library. The other, has the attribute set to 'null'. 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150991|0 |1 is obsolete|| --- Comment #109 from Martin Renvoize --- Created attachment 156941 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156941=edit Bug 29523: Regression tests Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150990|0 |1 is obsolete|| --- Comment #108 from Martin Renvoize --- Created attachment 156940 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156940=edit Bug 29523: Add Koha::Object->accessible This patch introduces a method for checking if an object can be retrieved by the current user. It depends on the plural class implementation of the ->search_limited method. To test: 1. Apply this patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => SUCCESS: Tests pass! 3. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 Martin Renvoize changed: What|Removed |Added Attachment #150989|0 |1 is obsolete|| --- Comment #107 from Martin Renvoize --- Created attachment 156939 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=156939=edit Bug 29523: Add Koha::Objects->search_limited stub method This method is just a passthru to the search method. It is defined here to avoid the need to check if each class implements it. Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #106 from Jonathan Druart --- (In reply to Jonathan Druart from comment #105) > (In reply to Martin Renvoize from comment #104) > > I think I've mentioned it before.. but I think the solution likely lies in > > redaction rather than outright removal of results.. I think we probably need > > a way to identify what fields should be redacted for the redacted case at > > each object level and then obviously a way to know when to call a redaction > > function to clear out the fields for the API response. > > I have written a quick follow-up on top of bug_33568 (that is based on top > of this one): > https://gitlab.com/joubu/Koha/-/commit/ > 75b8cd39135966d2ea1b8a48df9aec4a3254d0d5 > > Would that work? One thing that is not really nice is that, in Koha::Patron::to_api we are now having a json_patron and so not early returning, and we get 'restricted' in the response whereas the unredacted version should not contain it. But that would mean another call to is_accessible. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #105 from Jonathan Druart --- (In reply to Martin Renvoize from comment #104) > I think I've mentioned it before.. but I think the solution likely lies in > redaction rather than outright removal of results.. I think we probably need > a way to identify what fields should be redacted for the redacted case at > each object level and then obviously a way to know when to call a redaction > function to clear out the fields for the API response. I have written a quick follow-up on top of bug_33568 (that is based on top of this one): https://gitlab.com/joubu/Koha/-/commit/75b8cd39135966d2ea1b8a48df9aec4a3254d0d5 Would that work? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #104 from Martin Renvoize --- I think I've mentioned it before.. but I think the solution likely lies in redaction rather than outright removal of results.. I think we probably need a way to identify what fields should be redacted for the redacted case at each object level and then obviously a way to know when to call a redaction function to clear out the fields for the API response. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #103 from Jonathan Druart --- (In reply to Tomás Cohen Arazi from comment #101) > (In reply to Jonathan Druart from comment #93) > > I have a use case on bug 33568 where I need at least the library of the > > patron, to display "a patron from LIBRARY". > > You should just embed the patron's library... Then if the patron of > undefined, you use the patron library string. I don't understand what you mean. If patron is undefined I should access patron.library? That does not make sense. Or do you mean it's what we need to do here? (In reply to David Cook from comment #99) > (In reply to Jonathan Druart from comment #94) > > Are not we trying to provide a global solution for a tricky problem? > > Jonathan, are you saying that you think the solution is trying to be "too" > global and that we should instead just be focusing on protecting patron > information? > > A global solution would be great, but it's hard to do. As said previously, I don't know how to implement (correctly) a more focus (on patron) solution. So it's hard to unlock the situation with this global solution. The original (comment 0) need is the same as the need I have on bug 33568. Maybe we should provide something hacky but that will solve the problem...? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #102 from David Cook --- (In reply to Tomás Cohen Arazi from comment #101) > (In reply to Jonathan Druart from comment #93) > > I have a use case on bug 33568 where I need at least the library of the > > patron, to display "a patron from LIBRARY". > > You should just embed the patron's library... Then if the patron of > undefined, you use the patron library string. How do you know the patron's library if they've been filtered out ahead of time? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #101 from Tomás Cohen Arazi --- (In reply to Jonathan Druart from comment #93) > I have a use case on bug 33568 where I need at least the library of the > patron, to display "a patron from LIBRARY". You should just embed the patron's library... Then if the patron of undefined, you use the patron library string. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 --- Comment #100 from David Cook --- I have a different system where I needed to control access to resources based on requesting user. Fortunately, it is a smaller system than Koha with clearer boundaries around the key data, so I focused on the key data. For "single" access, each resource has a method for testing authorization to itself. It takes a requesting user, a policy, a requesting action, and optionally resource attributes for more fine-grained control. Since it's just 1 resource, I could use a lot of logic without having problems with scale/efficiency. For "plural" access, it got more complicated, because I needed to leverage SQL and not code logic. Fortunately, I really only needed to worry about GETs in this context, since I wasn't doing bulk modifications or bulk deletions. For the GETs, I was able to insert extra SQL into the WHERE clause where needed to make sure only resources the requesting user was authorized to see were retrieved from the database. That's probably a lot harder in Koha, especially if we're trying to do it globally. But if we're just trying to restrict what patrons a requesting user can see based on if they're from the same library... that could be a lot easier. It wouldn't feel great having a resource-specific authorization scheme instead of a global one, but it would be a lot easier. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/