[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #18 from David Cook  ---
I think we're a bit stuck here at the moment. What are we doing next to move
this along?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Martin Renvoize  changed:

   What|Removed |Added

 QA Contact|testo...@bugs.koha-communit |n...@bywatersolutions.com
   |y.org   |
 CC||martin.renvoize@ptfs-europe
   ||.com

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #17 from David Cook  ---
(In reply to Katrin Fischer from comment #16)
> I feel like the permission description as is might cause some confusion
> around staff, especially as it's currently only used on the API and has no
> effect in the interface.
> 
> Suggestion: 
> Verify user credentials via REST API

That's a good point. I'd be happy with that suggestion.

> I am not super happy about having a permission that only really makes sense
> for the API right now, but not sure what else we could do?

I agree that it feels weird, but I think over time it'll make more sense,
especially if we grouped them.

The other day I was setting up a SIP2 user, and I had no idea what permissions
it should have. I patterned it off a previous one I'd set up, but it got me
thinking how many unintended consequences can occur from our current
permissions, especially in terms of interplay with the API. Realistically, you
just want a SIP user to be able to connect to the SIP server and do SIP
operations. 

I think many of us know our permission system is overdue for an overhaul, but
no one is sure what direction to go. (I recall Martin suggesting how the Koha
Foundation getting a consultant could be handy for architectural directions,
and this is one that could be a good target...)

> > Also: Should we do a database update assigning this permission to users with
> borrowers permission currently?

No, because the "borrowers" permission is already the top level, and they
implicitly have this permission. We'd just want to encourage people to use this
fine-grained permission moving forward.

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Brendan Lawlor  changed:

   What|Removed |Added

 CC||blaw...@clamsnet.org

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Katrin Fischer  changed:

   What|Removed |Added

 Status|Passed QA   |Failed QA
   Keywords||release-notes-needed,
   ||rel_24_05_candidate

--- Comment #16 from Katrin Fischer  ---
I feel like the permission description as is might cause some confusion around
staff, especially as it's currently only used on the API and has no effect in
the interface.

Suggestion: 
Verify user credentials via REST API

I am not super happy about having a permission that only really makes sense for
the API right now, but not sure what else we could do?


Also: Should we do a database update assigning this permission to users with
borrowers permission currently?

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 Attachment #166547|0   |1
is obsolete||

--- Comment #15 from Nick Clemens (kidclamp)  ---
Created attachment 166551
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166551=edit
Bug 36561: (QA follow-up) Be consistent with other permission requirements

Most subpermissions are not added as a list - updating to mathc others in the
file

Signed-off-by: Nick Clemens 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 Attachment #166546|0   |1
is obsolete||

--- Comment #14 from Nick Clemens (kidclamp)  ---
Created attachment 166550
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166550=edit
Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment

Signed-off-by: Nick Clemens 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 Attachment #166545|0   |1
is obsolete||

--- Comment #13 from Nick Clemens (kidclamp)  ---
Created attachment 166549
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166549=edit
Bug 36561: Add "validate_borrowers" permission for
/api/v1/auth/password/validation

This change adds a "validate_borrowers" permission which allows a user to only
validate borrowers by using the /api/v1/auth/password/validation endpoint.

This avoids scenarios where you want third-parties to authenticate a user
without
giving them full permissions to perform CRUD operations on user data.

To test:
1. Apply patch
2. Run "koha-upgrade-schema kohadev"
3. koha-plack --reload kohadev
4. prove -v t/db_dependent/api/v1/password_validation.t
5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51
6. Note that a new subpermission "validate_borrowers" appears under the
"borrowers" permission

Signed-off-by: David Nind 
Signed-off-by: Nick Clemens 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 CC||n...@bywatersolutions.com

--- Comment #12 from Nick Clemens (kidclamp)  ---
Added a follow-up to match the way other permissions are required in the file -
let me know if you had a reason to use a list David

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #11 from Nick Clemens (kidclamp)  ---
Created attachment 166547
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166547=edit
Bug 36561: (QA follow-up) Be consistent with other permission requirements

Most subpermissions are not added as a list - updating to mathc others in the
file

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #10 from Nick Clemens (kidclamp)  ---
Created attachment 166546
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166546=edit
Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 Attachment #165718|0   |1
is obsolete||

--- Comment #9 from Nick Clemens (kidclamp)  ---
Created attachment 166545
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166545=edit
Bug 36561: Add "validate_borrowers" permission for
/api/v1/auth/password/validation

This change adds a "validate_borrowers" permission which allows a user to only
validate borrowers by using the /api/v1/auth/password/validation endpoint.

This avoids scenarios where you want third-parties to authenticate a user
without
giving them full permissions to perform CRUD operations on user data.

To test:
1. Apply patch
2. Run "koha-upgrade-schema kohadev"
3. koha-plack --reload kohadev
4. prove -v t/db_dependent/api/v1/password_validation.t
5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51
6. Note that a new subpermission "validate_borrowers" appears under the
"borrowers" permission

Signed-off-by: David Nind 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

Nick Clemens (kidclamp)  changed:

   What|Removed |Added

 Status|Signed Off  |Passed QA

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Nind  changed:

   What|Removed |Added

 Attachment #165713|0   |1
is obsolete||

--- Comment #8 from David Nind  ---
Created attachment 165718
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165718=edit
Bug 36561: Add "validate_borrowers" permission for
/api/v1/auth/password/validation

This change adds a "validate_borrowers" permission which allows a user to only
validate borrowers by using the /api/v1/auth/password/validation endpoint.

This avoids scenarios where you want third-parties to authenticate a user
without
giving them full permissions to perform CRUD operations on user data.

To test:
1. Apply patch
2. Run "koha-upgrade-schema kohadev"
3. koha-plack --reload kohadev
4. prove -v t/db_dependent/api/v1/password_validation.t
5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51
6. Note that a new subpermission "validate_borrowers" appears under the
"borrowers" permission

Signed-off-by: David Nind 

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Nind  changed:

   What|Removed |Added

 Status|Needs Signoff   |Signed Off

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

 Attachment #165447|0   |1
is obsolete||

--- Comment #7 from David Cook  ---
Created attachment 165713
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165713=edit
Bug 36561: Add "validate_borrowers" permission for
/api/v1/auth/password/validation

This change adds a "validate_borrowers" permission which allows a user to only
validate borrowers by using the /api/v1/auth/password/validation endpoint.

This avoids scenarios where you want third-parties to authenticate a user
without
giving them full permissions to perform CRUD operations on user data.

To test:
1. Apply patch
2. Run "koha-upgrade-schema kohadev"
3. koha-plack --reload kohadev
4. prove -v t/db_dependent/api/v1/password_validation.t
5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51
6. Note that a new subpermission "validate_borrowers" appears under the
"borrowers" permission

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

 Status|Failed QA   |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #6 from David Cook  ---
(In reply to David Nind from comment #5)
> I'm not seeing the permission. All I see under "Add, modify and view patron
> information (borrowers)" are:

Thanks, David! It looks like I missed adding the database update to the commit!

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Nind  changed:

   What|Removed |Added

 CC||da...@davidnind.com
 Status|Needs Signoff   |Failed QA

--- Comment #5 from David Nind  ---
Hi David.

I'm not seeing the permission. All I see under "Add, modify and view patron
information (borrowers)" are:

 Delete patrons (delete_borrowers)
 Add, modify and view patron information (edit_borrowers)
 Search, list and view patrons (list_borrowers)

I see the new permission if I do a reset_all in KTD.

Otherwise, as far as I can tell, step 2 of the test plan isn't doing anything
(for me anyway).

Does this means it needs a database update for existing installations? Not
really sure how that should work...

David

-- 
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

   Severity|enhancement |minor
   Assignee|koha-b...@lists.koha-commun |dc...@prosentient.com.au
   |ity.org |

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #4 from David Cook  ---
(In reply to David Cook from comment #1)
> Maybe this endpoint just needs a subpermission of "validate_borrowers". 
> 
> That would be a very easy change to make, and it would be backwards
> compatible, since "borrowers: 1" would already include "validate_borrowers". 

This is the option I've opted for, since it was the most straightforward and
backwards compatible.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

 Depends on||30962


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962
[Bug 30962] Add POST endpoint for validating a user password
-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #3 from David Cook  ---
Created attachment 165447
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165447=edit
Bug 36561: Add "validate_borrowers" permission for
/api/v1/auth/password/validation

This change adds a "validate_borrowers" permission which allows a user to only
validate borrowers by using the /api/v1/auth/password/validation endpoint.

This avoids scenarios where you want third-parties to authenticate a user
without
giving them full permissions to perform CRUD operations on user data.

To test:
1. Apply patch
2. Run "koha-upgrade-schema kohadev"
3. koha-plack --reload kohadev
4. prove -v t/db_dependent/api/v1/password_validation.t
5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51
6. Note that a new subpermission "validate_borrowers" appears under the
"borrowers" permission

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

 Status|NEW |Needs Signoff

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

David Cook  changed:

   What|Removed |Added

   See Also||https://bugs.koha-community
   ||.org/bugzilla3/show_bug.cgi
   ||?id=27423

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #2 from David Cook  ---
Of course, part of the issue for these third-party systems is that their API
user does things "outside of the context of a user". 

It would be great to have integrations where they redirect you to Koha, you
consent and gives access to particular scopes, and then it redirects you back
to the third-party system. And they act on behalf of you as the user but within
your context as a user.

So those API calls could place holds but only for you as an authenticated user.

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561

--- Comment #1 from David Cook  ---
Then again... maybe I'm wrong.

Maybe this endpoint just needs a subpermission of "validate_borrowers". 

That would be a very easy change to make, and it would be backwards compatible,
since "borrowers: 1" would already include "validate_borrowers". 

--

Of course, at some point, we'd need an ILS-DI GetPatronInfo replacement which
doesn't reveal everything about the patron, but gives a third-party system
enough to work with.

Martin has been interested in this topic in terms of scopes that users consent
to.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
___
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/