https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 Bug ID: 43030 Summary: Add generic own-resource (self-access) authorization to the REST API Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: martin.renvoize@openfifth.co.uk QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com Target Milestone: --- This patch adds a generic mechanism for REST API endpoints to allow access to a caller's own resources without requiring the broader module permission (for example, a staff member managing their own lists, or viewing/editing their own patron record, without list_borrowers/edit_borrowers). Today, authorization is all-or-nothing: an endpoint's x-koha-authorization block requires a specific module permission, with no way to grant reduced access based on ownership of the record. Several controllers (Lists, AdvancedEditorMacro, Patrons/Password, Patrons/SelfRenewal) work around this today with inconsistent, ad hoc ownership checks that do not share a common implementation. This patch introduces: - Koha::Object->is_owned_by($patron) and Koha::Objects->owned_by($patron), a shared ownership interface implemented per class (identity based for Koha::Patron, owner field based for Koha::Virtualshelf) - An allow-owner flag on x-koha-authorization, checked in Koha::REST::V1::Auth, that admits an authenticated caller lacking the module permission when the resource is their own - Koha::REST::Plugin::Objects integration so objects.find and objects.search enforce/scope by ownership automatically, without each controller reimplementing the check, and while continuing to support paging, embeds, and existing query parameters - Write path guards so a caller admitted only via ownership cannot create a resource owned by someone else or reassign ownership away from themselves Permission continues to take priority: a caller who holds the module permission is unaffected and retains full, unrestricted access exactly as today. Ownership is only consulted for callers who lack the permission. Initial scope covers the Lists (virtualshelves) and Patrons endpoints, chosen to exercise both ownership shapes (owner field and identity match). Other existing ad hoc self checks are left as follow up work. Test plan: 1. Apply the patches and run the test suite for the affected modules: prove t/Koha/Object.t t/Koha/Objects.t t/db_dependent/Koha/Virtualshelves.t t/db_dependent/Koha/Patrons.t t/db_dependent/api/v1/patrons.t t/db_dependent/api/v1/lists.t 2. As a staff user without any list/shelf permission, confirm GET /api/v1/lists returns only your own lists, and GET /api/v1/lists/{id} succeeds for your own list and returns 403 for someone else's 3. As a staff user without borrowers permissions, confirm GET and PUT /api/v1/patrons/{patron_id} succeed for your own patron_id and return 403 for another patron_id 4. As a staff user with the relevant module permission, confirm both endpoints behave exactly as before (full, unrestricted access) 5. Confirm creating/updating a list while lacking the module permission cannot set the owner field to another patron -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.