https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39199
David Cook <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |In Discussion --- Comment #5 from David Cook <[email protected]> --- (In reply to Shi Yao Wang from comment #4) > I just added missing nullable fields on the definition. > > (In reply to David Cook from comment #2) > > I'm not sure about some of this naming. I often think of a "notice" as the > > notice template rather than the notice message. > > What do you prefer the naming to be? I'm not sure. Maybe the naming is OK. But I don't think the permissions in api/v1/swagger/paths/notices.yaml necessarily make sense. GET /notices requires all "tools" subpermissions. POST /notices requires only "tools > edit_notices" subpermission, so to add outbound email all you need to be able to do is edit notices. That can't be right. GET /notices/{message_id} requires all "tools" subpermissions -- We need to keep in mind that the API runs on the same domain as the OPAC and the staff interface. By adding GET /notices we've suddenly opened up all the emails to a user with the tools subpermissions, so they can look at all kinds of different user information. We've got some pretty fundamental authorization problems in Koha, especially with the API. We bypass our own permissions/authorizations. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
