[Bug 17424] New: REST API: Preference to control access to own objects without permission
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Bug ID: 17424 Summary: REST API: Preference to control access to own objects without permission Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: lari.taskula@jns.fi QA Contact: testopia@bugs.koha-community.org Introduce a preference to enable/disable access to own objects for patron's without required permissions. Bug 14868 added "allow-owner" parameter that allows owner of the object to perform operations on themselves even if they do not have required permissions to otherwise do so (e.g. get own patron data or renew your own checkouts even if you don't have borrowers/circulating permissions). This means patrons can perform basic OPAC operations via REST API. However, there should be an option to disable this functionality; as Katrin pointed out in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13895#c43 ,
I can imagine both happening: - libraries wanting to shut down any OPAC account functionality, but still be able to renew in staff, so the circulation conditions are set up this way. In this case, there should be a way to lock the API (opacuserlogin might be a way) - libraries shutting down the OPAC, because they use something else like an external discovery layer. In this case they'd still want to use the API, but might turn off the OPAC as far as possible.
I propose a system preference for enabling/disabling access to own objects in REST API. This way libraries can disable opacuserlogin and any OPAC API functionality with the new preference. In the second case, libraries can disable opacuserlogin but still allow OPAC functionality via REST API. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 --- Comment #1 from Lari Taskula <lari.taskula@jns.fi> --- One problem with preference-approach is that it will create a mismatch between Swagger documentation and value of the preference if disabled. If the preference is being used to disable OPAC-like API operations, Swagger spec says they should still be possible. In this case, maybe it is enough to simply return an error message? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Lari Taskula <lari.taskula@jns.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 --- Comment #2 from Lari Taskula <lari.taskula@jns.fi> --- Created attachment 56257 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=56257&action=edit Bug 17424: REST API: Preference to control access to own objects without permission This patch adds a new system preference AccessOwnObjectsInAPI which controls accessibility for OPAC-like REST API operations for patron's without otherwise required permissions. To test: 1. Apply this patch and set AccessOwnObjectsInAPI to "Enabled" 2. Test REST API operations that allow access to own objects. They should work as before. E.g. try to GET /api/v1/patrons/XXX where XXX is your borrowernumber (you need a valid CGISESSID, so login first, but make sure you don't have borrowers-permission) 3. Disable AccessOwnObjectsInAPI 4. Observe that you no longer have access. You should be given an appropriate error message for what happened. 5. Run t/db_dependent/api/v1/swagger/ownership.t and also other REST tests. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Lari Taskula <lari.taskula@jns.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |lari.taskula@jns.fi |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #56257|0 |1 is obsolete| | --- Comment #3 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 59099 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=59099&action=edit [SIGNED-OFF] Bug 17424: REST API: Preference to control access to own objects without permission This patch adds a new system preference AccessOwnObjectsInAPI which controls accessibility for OPAC-like REST API operations for patron's without otherwise required permissions. To test: 1. Apply this patch and set AccessOwnObjectsInAPI to "Enabled" 2. Test REST API operations that allow access to own objects. They should work as before. E.g. try to GET /api/v1/patrons/XXX where XXX is your borrowernumber (you need a valid CGISESSID, so login first, but make sure you don't have borrowers-permission) 3. Disable AccessOwnObjectsInAPI 4. Observe that you no longer have access. You should be given an appropriate error message for what happened. 5. Run t/db_dependent/api/v1/swagger/ownership.t and also other REST tests. Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 64378 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=64378&action=edit Bug 17424: REST API: Preference to control access to own objects without permission This patch adds a new system preference AccessOwnObjectsInAPI which controls accessibility for OPAC-like REST API operations for patron's without otherwise required permissions. To test: 1. Apply this patch and set AccessOwnObjectsInAPI to "Enabled" 2. Test REST API operations that allow access to own objects. They should work as before. E.g. try to GET /api/v1/patrons/XXX where XXX is your borrowernumber (you need a valid CGISESSID, so login first, but make sure you don't have borrowers-permission) 3. Disable AccessOwnObjectsInAPI 4. Observe that you no longer have access. You should be given an appropriate error message for what happened. 5. Run t/db_dependent/api/v1/swagger/ownership.t and also other REST tests. Signed-off-by: Josef Moravec <josef.moravec@gmail.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 64379 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=64379&action=edit Bug 17424: [QA Follow-up] Tiny tidy The tests for $authorization keys allow_owner or allow_guarantor are in the subroutines already. Moving the owner_guarantor test result in a variable. Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Small patch CC| |m.de.rooy@rijksmuseum.nl Status|Signed Off |Passed QA QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #59099|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Lari Taskula from comment #1)
One problem with preference-approach is that it will create a mismatch between Swagger documentation and value of the preference if disabled. If the preference is being used to disable OPAC-like API operations, Swagger spec says they should still be possible. In this case, maybe it is enough to simply return an error message?
Life is hard :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |18137 CC| |jonathan.druart@bugs.koha-c | |ommunity.org Status|Passed QA |Patch doesn't apply --- Comment #7 from Jonathan Druart <jonathan.druart@bugs.koha-community.org> --- Please rebase this on top of bug 18137. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18137 [Bug 18137] REST API: Migrate from Mojolicious::Plugin::Swagger2 to Mojolicious::Plugin::OpenAPI -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Jonathan Druart <jonathan.druart@bugs.koha-community.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Web services |REST api -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Bug 17424 depends on bug 18137, which changed state. Bug 18137 Summary: REST API: Migrate from Mojolicious::Plugin::Swagger2 to Mojolicious::Plugin::OpenAPI https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18137 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com Status|Patch doesn't apply |In Discussion --- Comment #8 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Lari Taskula from comment #1)
One problem with preference-approach is that it will create a mismatch between Swagger documentation and value of the preference if disabled. If the preference is being used to disable OPAC-like API operations, Swagger spec says they should still be possible. In this case, maybe it is enough to simply return an error message?
I think we need a more flexible approach: we need a configuration page in which users can select if they allow (or not) access to own (and relative's) objects, FOR EACH resource. The OpenAPI docs can be adjusted to say it will depend on local configurations. And API consumers will notice anyway. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|REST API: Preference to |System preference to |control access to own |control access to own |objects without permission |objects without permission -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|lari.taskula@hypernova.fi |koha-bugs@lists.koha-commun | |ity.org -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org