[Koha-bugs] [Bug 36094] svc/authentication needs adjustements
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Feb 26 23:09:34 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #18 from David Cook <dcook at prosentient.com.au> ---
(In reply to Jonathan Druart from comment #17)
> (In reply to David Cook from comment #16)
> > All good. I worked it out in the end.
> >
> > See bug 36084.
>
> It's not secure.
>
> % curl
> 'http://localhost:8081/cgi-bin/koha/svc/
> authentication?login_userid=koha&login_password=koha'
>
> <?xml version='1.0' standalone='yes'?>
> <response>
> <status>ok</status>
> </response>
Yeah, that's a problem with check_api_auth(), which I figured was outside the
scope of this particular change.
I suppose if it's a GET we might be able to delete the credentials out of the
$query object before passing it to check_api_auth(). Without doing a lot of
refactoring, I think we're probably going to be left with a hacky option like
that.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list