https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38050 --- Comment #53 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- FYI: Bug 43030 adds a generic own-resource (self-access) authorization mechanism to the REST API -- Koha::Object->is_owned_by / Koha::Objects->owned_by, plus an allow-owner flag on x-koha-authorization, so an authenticated caller without the module permission can still access/manage records they own. This bug's admin CRUD endpoints for lists/virtualshelves currently do their own ownership/sharing checks by calling Koha::Virtualshelf's can_be_viewed / can_be_managed / can_be_deleted directly in the controllers (see comment 42, point 3). That's richer than plain ownership -- it also covers sharing and the delete_public_lists permission, which the generic framework in Bug 43030 doesn't attempt to model. Once both bugs have landed, it would be worth a follow-up bug evaluating whether the plain-ownership case here could be expressed via is_owned_by/allow-owner, while keeping can_be_viewed/can_be_managed for the sharing and public-list-permission logic. Not asking to change anything on this bug for that now, just flagging the relationship for whoever picks up the follow-up. -- You are receiving this mail because: You are watching all bug changes.