https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094 --- Comment #36 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #35)
As for requiring POST and comment 17 for /svc/authentication... that's a good point but that is more so an issue with check_api_auth() and changing that has wide-reaching consequences beyond /svc.
(In reply to David Cook from comment #18)
Yeah, that's a problem with check_api_auth(), which I figured was outside the scope of this particular change.
I suppose if it's a GET we might be able to delete the credentials out of the $query object before passing it to check_api_auth(). Without doing a lot of refactoring, I think we're probably going to be left with a hacky option like that.
Technically, C4::Auth::get_template_and_user() requires a POST and op=cud-login, which works for a CGI script, because that's the first auth related function called. But for /svc scripts (and scripts like them), they call check_api_auth(), so that's the function that would need to be updated. It's unfortunate that it's so wide spread and used in different ways. Practically, we probably could just have check_api_auth() require a POST when it's performing login functionality. But... we're too late in the release cycle for that I think. -- After 24.05 is released, I'd be happy to write a patch that requires POST when check_api_auth() is doing a login. Then we'll have a whole release cycle to find any bugs in that. -- You are receiving this mail because: You are watching all bug changes.