https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38050

--- Comment #53 from Martin Renvoize (ashimema) 
<[email protected]> ---
FYI: Bug 43030 adds a generic own-resource (self-access) authorization
mechanism to the REST API -- Koha::Object->is_owned_by /
Koha::Objects->owned_by, plus an allow-owner flag on x-koha-authorization, so
an authenticated caller without the module permission can still access/manage
records they own.
This bug's admin CRUD endpoints for lists/virtualshelves currently do their own
ownership/sharing checks by calling Koha::Virtualshelf's can_be_viewed /
can_be_managed / can_be_deleted directly in the controllers (see comment 42,
point 3). That's richer than plain ownership -- it also covers sharing and the
delete_public_lists permission, which the generic framework in Bug 43030
doesn't attempt to model.
Once both bugs have landed, it would be worth a follow-up bug evaluating
whether the plain-ownership case here could be expressed via
is_owned_by/allow-owner, while keeping can_be_viewed/can_be_managed for the
sharing and public-list-permission logic. Not asking to change anything on this
bug for that now, just flagging the relationship for whoever picks up the
follow-up.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to