https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28957
--- Comment #5 from David Cook <[email protected]> --- (In reply to Fridolin Somers from comment #3) > Indeed the permissions are on the plugin method : > https://git.koha-community.org/Koha-community/Koha/src/commit/ > ac02c1d2adc883cc6ff6b749c271cb165d337436/plugins/run.pl#L40 > > But currently only exists tool and report > and plugins create there own methods. These days, there are permissions for these methods: "report", "tool", "admin", or "configure" > Should we change for only one subpermission "run plugin" ? > And plugins have to implement permissions. That could be difficult to apply retroactively, but might not be a bad idea. I've been thinking a bit about "permission policies" which could be applied at different levels (like the borrower as user/subject or the plugin as object/resource). It could be an opportunity to experiment with the idea. The idea being Koha core would have the code like "Koha::Authz::authorize($user,$action,$resource). I haven't fully thought out the design, but the idea would be that there's a permission policy attached to that Koha plugin $resource and it says whether a particular user or categorycode (or whatever) is allowed to do $action against it. That "run plugin" could be the minimum level of permission that a user needs in order to run "run.pl" at all, and then permission policies could kick in from there. For backwards compatibility, we'd probably need to let "report", "tool", "admin" have "run_plugin". Not sure about "configure". -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
