[Koha-bugs] [Bug 30230] Search for patrons in checkout should not require edit_borrowers permission

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230

--- Comment #12 from David Cook <dcook at prosentient.com.au> ---
Except that doesn't work either because of the whacky REST API permissions that
also require edit_borrowers. 

In theory, the REST API was a good idea, but I think we've approached it a bit
naively. 

Rather than search using GET /api/v1/patrons, I reckon we should be POSTing to
something like /api/v1/patrons/search, which can perform more nuanced
operations. And we are looking into more nuanced operations but that's also
challenging in its own way (especially from a performance perspective). 

--

So I think that takes us back to a "view_borrowers" subpermission which is also
kind of weird, because then you'd need "view_borrowers" plus "delete_borrowers"
or "edit_borrowers" in order to perform those latter operations. That's where
role-based access control would be useful. You'd just set up the roles and
assign the roles and the weirdness of permissions would be hidden a bit behind
the scenes. 

But overhauling permissions is no easy task because we also need to maintain
the messy status quo. 

So we end up just adding workaround on top of workaround...

I think it'll either take a big sponsored project or serious collaboration
among many developers to really improve access control/authorization.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.