[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Jul 27 04:59:31 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
--- Comment #100 from David Cook <dcook at prosentient.com.au> ---
I have a different system where I needed to control access to resources based
on requesting user. Fortunately, it is a smaller system than Koha with clearer
boundaries around the key data, so I focused on the key data.
For "single" access, each resource has a method for testing authorization to
itself. It takes a requesting user, a policy, a requesting action, and
optionally resource attributes for more fine-grained control. Since it's just 1
resource, I could use a lot of logic without having problems with
scale/efficiency.
For "plural" access, it got more complicated, because I needed to leverage SQL
and not code logic. Fortunately, I really only needed to worry about GETs in
this context, since I wasn't doing bulk modifications or bulk deletions. For
the GETs, I was able to insert extra SQL into the WHERE clause where needed to
make sure only resources the requesting user was authorized to see were
retrieved from the database.
That's probably a lot harder in Koha, especially if we're trying to do it
globally.
But if we're just trying to restrict what patrons a requesting user can see
based on if they're from the same library... that could be a lot easier.
It wouldn't feel great having a resource-specific authorization scheme instead
of a global one, but it would be a lot easier.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list