https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39199 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #5)
We need to keep in mind that the API runs on the same domain as the OPAC and the staff interface. By adding GET /notices we've suddenly opened up all the emails to a user with the tools subpermissions, so they can look at all kinds of different user information.
We've got some pretty fundamental authorization problems in Koha, especially with the API. We bypass our own permissions/authorizations.
We need to remember that convenience and security are opposite ends of the same spectrum. With AI finding security vulnerabilities easier than ever, we don't want to be making unforced errors like this. -- You are receiving this mail because: You are watching all bug changes.