https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Bug ID: 24067 Summary: Refactor REST API allow-owner authorization logic Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST api Assignee: koha-bugs@lists.koha-community.org Reporter: lari.taskula@hypernova.fi It is possible to authorize patron an access to their own resources by defining "allow-owner" under x-koha-authorization block in endpoint's OpenAPI specification. Currently the logic for this type of authorization is centralized under Koha::REST::V1::Auth::check_object_ownership with some messy, hard to understand and possibly at some point in future even insecure logic. A better and more flexible solution is to have each REST API controller handle the "allow-owner" authorization on their own. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.