https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38745
--- Comment #4 from David Cook <[email protected]> --- (In reply to Martin Renvoize (ashimema) from comment #3) > Very much a proof of concept for code and not usable yet I'm mostly liking what I'm seeing! I've got one question and some feedback. __Question__: What would the "id" be in the payload? __Feedback__: Based off on our past conversations, I ended up making an RPC-like endpoint a couple months ago (I wanted to just re-index N number of biblios from third-party tools), and the process brought up two issues: authentication and authorization. Firstly, at a glance, it looks like you'd only be able to apply Koha permissions at the level of the RPC router, which won't be very fine-grained. I think this will likely cause problems for production/practical uses. Secondly, there's no validation of the action passed in the method, which means a caller could call any method for the target class (which is fortunately limited to Koha::REST::V1::, although that's still fairly coarse validation). I think we'd need to think up some further security controls here. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
