https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446
--- Comment #14 from Pedro Amorim <[email protected]> --- (In reply to Jonathan Druart from comment #7) > I don't this this is correct. > > We need a separate route to retrieve the ERM's attributes. Or should it be > in /erm/config? > > IMO we don't want to give access to the attributes of other modules if the > permissions is not set. I sort of agree with this but having to have a specific endpoint for every new resource that adopts extended attributes would be a bit overkill? I also see where Matt's suggestion could work, but as I understand it, that would mean that we'd have to have all possible adopting resources as OR permissions and someone with ERM permissions only would potentially be granted access to, say, serials subscriptions. ----- How about just put 'catalogue' : 1 as permission, and handle the permissions logic in the REST controller itself? That seems to be what paths/jobs.yaml + REST/V1/BackgroundJobs.pm is doing. The get endpoint has permission of catalogue: "1" but then the REST/V1/BackgroundJobs.pm controller checks for manage_background_jobs permission. We could have something similar here, and check for a specific permission depending on the resource_type being queried. Could even just use the existing resource_to_table and extend it to also have each respective permission mapped. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
