https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Bug ID: 36561 Summary: Inappropriate permission for "/api/v1/auth/password/validation" Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org Today I was looking to replace a third-party's usage of ILS-DI AuthenticatePatron with the REST API's "/api/v1/auth/password/validation", when I realized that it would mean giving the third-party much greater Koha permission than they currently have. "/api/v1/auth/password/validation" requires the "borrowers" permission, which gives you full access to all borrower data. I don't think that's what we want to give a third-party that really just needs to validate that a patron is an authentic member of Koha. I think that we might need a new permission class. I don't have a perfect name for it yet, but I'm thinking about it. Here's some ideas: - Discovery - External - API - Web services - Third-party -- That way, we can have third-party API users that are narrowly scoped to just what they need to do. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.