[Koha-bugs] [Bug 14868] REST API: Swagger2-driven permission checking

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14868

--- Comment #27 from Lari Taskula <larit at student.uef.fi> ---
The patches went through heavy rebasing (now on top of master) and
modifications.

These patches fix wrong error messages, extend "allow-owner" functionality to
be able to find out object owner from any parameter (not just borrowernumber
like before), adds "allow-guarantor" that works similar to "allow-owner" but
checks access for guarantor of the owner of the object instead, and adds some
more tests that cover these changes. Meanwhile I also squashed "Rename
'x-koha-permission' to 'x-koha-authorization'" into "Give users possibility to
request their own object".

Because of heavy changes, I had to remove the sign-offs and would now be very
interested to hear comments especially on the solution to find out object
ownership from any parameter, and of course suggestions for a better solution
if someone can come up with one.

I think it's very useful to be able to define permissions in Swagger because it
is now documented in your specification, and also permission checking is
centralized into one place instead of duplicating it for nearly every operation
in each controller.

-- 
You are receiving this mail because:
You are watching all bug changes.