[Koha-bugs] [Bug 29523] New: Add a way to prevent embedding objects that should not be allowed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Nov 18 22:13:37 CET 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
Bug ID: 29523
Summary: Add a way to prevent embedding objects that should not
be allowed
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: REST API
Assignee: koha-bugs at lists.koha-community.org
Reporter: tomascohen at gmail.com
A user can be allowed to see only patrons from its own library, for example. So
fetching (through the API) all the current checkouts for a biblio and embedding
the patron each checkout in the response, could violate this rule (this is the
case on bug 29275).
We need some mechanism to prevent this at a lower level so controller
developers don't need to code for that, and also to avoid unintended leaks.
Possible implementations will need to standardize things like the one used in
bug 29506, which relies on the existence of ->search_limited to filter out
forbidden results.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list