https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41768 --- Comment #18 from David Cook <dcook@prosentient.com.au> --- (In reply to Arthur Suzuki from comment #16)
(In reply to David Cook from comment #15)
(In reply to Arthur Suzuki from comment #14) Yeah, you might have a point. I'm working on a different bug where someone added a public endpoint to be used for both the staff interface and the OPAC. I'm not sure what I think of it yet.
Can you give me the bug number?
I can't at present.
That being said, I thought pickup locations were scoped to individual users. Indeed if you look at Koha/REST/V1/Biblios.pm you can see that it takes a patron_id and public endpoints shouldn't allow people to provide a patron_id. It would need to take the logged in user's patron_id.
Yes, it needs the patron ID, but is that really a problem? it's not like the output/reply gives any personal data about the patron so, in that specific use-case is that a problem?
Yes, it's a problem, because you're allowing an unauthorised action against a different patron. Even if the impact is considered trivial, it's still an unauthorised release of information. It's a problem.
You mean like the following? /api/v1/public/libraries/{library_id} /api/v1/libraries/{library_id}
/api/v1/public/items /api/v1/items
/api/v1/public/oauth/login/{provider_code}/{interface} /api/v1/oauth/login/{provider_code}/{interface}
Yes, I know that already exists but why? could be only the public endpoint imo
I know you think that but I disagree. -- You are receiving this mail because: You are watching all bug changes.