[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #18 from David Cook --- I think we're a bit stuck here at the moment. What are we doing next to move this along? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Martin Renvoize changed: What|Removed |Added QA Contact|testo...@bugs.koha-communit |n...@bywatersolutions.com |y.org | CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #17 from David Cook --- (In reply to Katrin Fischer from comment #16) > I feel like the permission description as is might cause some confusion > around staff, especially as it's currently only used on the API and has no > effect in the interface. > > Suggestion: > Verify user credentials via REST API That's a good point. I'd be happy with that suggestion. > I am not super happy about having a permission that only really makes sense > for the API right now, but not sure what else we could do? I agree that it feels weird, but I think over time it'll make more sense, especially if we grouped them. The other day I was setting up a SIP2 user, and I had no idea what permissions it should have. I patterned it off a previous one I'd set up, but it got me thinking how many unintended consequences can occur from our current permissions, especially in terms of interplay with the API. Realistically, you just want a SIP user to be able to connect to the SIP server and do SIP operations. I think many of us know our permission system is overdue for an overhaul, but no one is sure what direction to go. (I recall Martin suggesting how the Koha Foundation getting a consultant could be handy for architectural directions, and this is one that could be a good target...) > > Also: Should we do a database update assigning this permission to users with > borrowers permission currently? No, because the "borrowers" permission is already the top level, and they implicitly have this permission. We'd just want to encourage people to use this fine-grained permission moving forward. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Brendan Lawlor changed: What|Removed |Added CC||blaw...@clamsnet.org -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Katrin Fischer changed: What|Removed |Added Status|Passed QA |Failed QA Keywords||release-notes-needed, ||rel_24_05_candidate --- Comment #16 from Katrin Fischer --- I feel like the permission description as is might cause some confusion around staff, especially as it's currently only used on the API and has no effect in the interface. Suggestion: Verify user credentials via REST API I am not super happy about having a permission that only really makes sense for the API right now, but not sure what else we could do? Also: Should we do a database update assigning this permission to users with borrowers permission currently? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added Attachment #166547|0 |1 is obsolete|| --- Comment #15 from Nick Clemens (kidclamp) --- Created attachment 166551 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166551=edit Bug 36561: (QA follow-up) Be consistent with other permission requirements Most subpermissions are not added as a list - updating to mathc others in the file Signed-off-by: Nick Clemens -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added Attachment #166546|0 |1 is obsolete|| --- Comment #14 from Nick Clemens (kidclamp) --- Created attachment 166550 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166550=edit Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment Signed-off-by: Nick Clemens -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added Attachment #166545|0 |1 is obsolete|| --- Comment #13 from Nick Clemens (kidclamp) --- Created attachment 166549 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166549=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind Signed-off-by: Nick Clemens -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added CC||n...@bywatersolutions.com --- Comment #12 from Nick Clemens (kidclamp) --- Added a follow-up to match the way other permissions are required in the file - let me know if you had a reason to use a list David -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #11 from Nick Clemens (kidclamp) --- Created attachment 166547 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166547=edit Bug 36561: (QA follow-up) Be consistent with other permission requirements Most subpermissions are not added as a list - updating to mathc others in the file -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #10 from Nick Clemens (kidclamp) --- Created attachment 166546 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166546=edit Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added Attachment #165718|0 |1 is obsolete|| --- Comment #9 from Nick Clemens (kidclamp) --- Created attachment 166545 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166545=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind changed: What|Removed |Added Attachment #165713|0 |1 is obsolete|| --- Comment #8 from David Nind --- Created attachment 165718 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165718=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added Attachment #165447|0 |1 is obsolete|| --- Comment #7 from David Cook --- Created attachment 165713 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165713=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #6 from David Cook --- (In reply to David Nind from comment #5) > I'm not seeing the permission. All I see under "Add, modify and view patron > information (borrowers)" are: Thanks, David! It looks like I missed adding the database update to the commit! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind changed: What|Removed |Added CC||da...@davidnind.com Status|Needs Signoff |Failed QA --- Comment #5 from David Nind --- Hi David. I'm not seeing the permission. All I see under "Add, modify and view patron information (borrowers)" are: Delete patrons (delete_borrowers) Add, modify and view patron information (edit_borrowers) Search, list and view patrons (list_borrowers) I see the new permission if I do a reset_all in KTD. Otherwise, as far as I can tell, step 2 of the test plan isn't doing anything (for me anyway). Does this means it needs a database update for existing installations? Not really sure how that should work... David -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added Severity|enhancement |minor Assignee|koha-b...@lists.koha-commun |dc...@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #4 from David Cook --- (In reply to David Cook from comment #1) > Maybe this endpoint just needs a subpermission of "validate_borrowers". > > That would be a very easy change to make, and it would be backwards > compatible, since "borrowers: 1" would already include "validate_borrowers". This is the option I've opted for, since it was the most straightforward and backwards compatible. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added Depends on||30962 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962 [Bug 30962] Add POST endpoint for validating a user password -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #3 from David Cook --- Created attachment 165447 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165447=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=27423 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #2 from David Cook --- Of course, part of the issue for these third-party systems is that their API user does things "outside of the context of a user". It would be great to have integrations where they redirect you to Koha, you consent and gives access to particular scopes, and then it redirects you back to the third-party system. And they act on behalf of you as the user but within your context as a user. So those API calls could place holds but only for you as an authenticated user. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 36561] Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #1 from David Cook --- Then again... maybe I'm wrong. Maybe this endpoint just needs a subpermission of "validate_borrowers". That would be a very easy change to make, and it would be backwards compatible, since "borrowers: 1" would already include "validate_borrowers". -- Of course, at some point, we'd need an ILS-DI GetPatronInfo replacement which doesn't reveal everything about the patron, but gives a third-party system enough to work with. Martin has been interested in this topic in terms of scopes that users consent to. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/