https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20340
--- Comment #48 from Alex Arnaud <alex.arn...@biblibre.com> --- (In reply to David Cook from comment #41) > Anyone else think that it's a terrible idea to have authentication plugins > that non-technical staff can load into Koha? Sounds like a massive security > problem waiting to happen. > > That said, I'm in favour of authentication "plugins" that administrators can > add to the system via system packages or CPAN. I do understand this argument. I even agree that plugins (and not only authentication ones) could contain security issues. For "our" hosted libraries, we disabled writing permission on plugins directory. Looks like a tricky solution and we probably need a better one but it means that administrators have the final word. > I think we should ask ourselves what we're trying to achieve here. Are we > adding authentication plugins via the Staff UI, because it's too difficult to > get changes into Koha, especially around authentication? > I would love for there to be more authentication methods for Koha. In fact, I > wrote a generic OpenID Connect client for Koha, which I support locally. IMO plugins are useful (even essential) to satisfy specific libraries requests and not to avoid community processes. i wrote this patch in order to create an authentication plugins that can request many LDAP backends and fallback on an other one. Seems too specific to be suggested to the community. To go further, as discussed above, i think we should consider generally LDAP, CAS etc... as specific feature that would become plugins (may be another debate). To return to security topic: Today, many free plugable systems provide repositories with a large amount of plugins that have been reviewed, tested and validated by their community as safe. Users can easily download ones from other sources but they know it's at their own risk. Maybe we should be inspired by that. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
