http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13920
Julian Maurice <julian.maur...@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #40592|0 |1 is obsolete| | --- Comment #11 from Julian Maurice <julian.maur...@biblibre.com> --- Created attachment 40625 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=40625&action=edit Bug 13920: 9. API authentication system - Swagtenticator authentication - WIP This feature implements REST API-key authentication and Koha permission validation in the Swagger2-plugin extension. This is basically a Mojolicious to Koha authentication using Swagger2 RESTful API definition to autodocument and check for proper user permissions, aka. "KohaliciousSwagtenticator". With this feature the API provider doesn't need to code anything in the Controller to support Koha permissions. Simply by defining a custom Swagger2 parameter "x-koha-parameters": {} the Swagtenticator knows to check the user for proper Koha permissions. Example (require any borrowers-permission): ... "paths": { "/borrowers": { "get": { "x-mojo-controller": "Koha::REST::V1::Borrowers", "x-koha-permission": { "borrowers": "*" }, "operationId": "listBorrowers", ... This x-koha-permission definition is turned to a HASH and given to the C4::Auth::haspermission() for verification by the Swagger2-based plugin. Bug dependencies: Buugg 13995 - Proper Exception handling, which helps a lot in dealing with all the various ways authentication can fail. Buugg 14437 - Refactor C4::Auth::haspermission() to Koha::Object and return better errors. Which returns the failing permission so we can create a more helpful API which tells which permissions are missing (also helps admins in giving the right permissions) This feature is implemented by inheriting Mojolicious::Plugin::Swagger2 in Koha::REST::V1::Plugins::KohaliciousSwagtenticator and overloading the necessary subroutines. TEST PLAN: 1. Add the given example (up) to any "Operation Object *". 2. Call the "Operation object" (eg. /v1/borrowers/10) with user credetials not having any borrower-permissions. 3. Fail because of myriad of reasons. (see. KohaliciousSwagtenticator::check_key_auth()) 4. Add some borrowers-permissions to the same user. 5. Succeed in your operation. * from Swagger2.0 specification -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/