[Bug 24067] New: Refactor REST API allow-owner authorization logic
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Bug ID: 24067 Summary: Refactor REST API allow-owner authorization logic Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST api Assignee: koha-bugs@lists.koha-community.org Reporter: lari.taskula@hypernova.fi It is possible to authorize patron an access to their own resources by defining "allow-owner" under x-koha-authorization block in endpoint's OpenAPI specification. Currently the logic for this type of authorization is centralized under Koha::REST::V1::Auth::check_object_ownership with some messy, hard to understand and possibly at some point in future even insecure logic. A better and more flexible solution is to have each REST API controller handle the "allow-owner" authorization on their own. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |lari.taskula@hypernova.fi |ity.org | Status|NEW |ASSIGNED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 --- Comment #1 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95553 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95553&action=edit Bug 24067: Add new subroutine check_resource_ownership This patch adds a new subroutine called check_resource_ownership. The method is called when API consumer has no permission but the request may still be authorized if the user is accessing only their own resources. In this case, it will find a method called "owner_authorization" from the controller specified by the endpoint. Testable in following patches. Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 --- Comment #2 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95554 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95554&action=edit Bug 24067: Use check_resource_ownership in authorization To test: 1. prove t/db_dependent/api/v1/patrons_password.t 2. Observe failure (yes, really a failure - tests will pass in later test) Looks like you failed 7 tests of 15. t/db_dependent/api/v1/patrons_password.t .. 2/2 Failed test 'set_public() (unprivileged user tests)' at t/db_dependent/api/v1/patrons_password.t line 235. Looks like you failed 1 test of 2. t/db_dependent/api/v1/patrons_password.t .. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/2 subtests Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 --- Comment #3 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95555 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95555&action=edit Bug 24067: Remove check_object_ownership and old authorization methods Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 --- Comment #4 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95556 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95556&action=edit Bug 24067: Use owner_authorization in POST /public/patrons/{patron_id}/password As an example, use this functionality in Koha::REST::V1::Patrons::Password To test: 1. prove t/db_dependent/api/v1/patrons_password.t 2. Observe success Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #95556|0 |1 is obsolete| | --- Comment #5 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95561 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95561&action=edit Bug 24067: Use owner_authorization in current public endpoints To test: 1. prove t/db_dependent/api/v1/patrons_password.t 2. Observe success 3. prove t/db_dependent/api/v1/patrons.t 4. Observe success Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #95561|0 |1 is obsolete| | --- Comment #6 from Lari Taskula <lari.taskula@hypernova.fi> --- Created attachment 95571 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=95571&action=edit Bug 24067: Use owner_authorization in current public endpoints To test: 1. prove t/db_dependent/api/v1/patrons_password.t 2. Observe success 3. prove t/db_dependent/api/v1/patrons.t 4. Observe success Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Michal Denar <black23@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |black23@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 --- Comment #7 from Michal Denar <black23@gmail.com> --- Hi Lari, can you rebase this patch? Thank you. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de, | |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com Status|Needs Signoff |Patch doesn't apply --- Comment #8 from David Nind <david@davidnind.com> --- Patch no longer applies 8-(: Apply? [(y)es, (n)o, (i)nteractive] y Applying: Bug 24067: Add new subroutine check_resource_ownership Applying: Bug 24067: Use check_resource_ownership in authorization Applying: Bug 24067: Remove check_object_ownership and old authorization methods Applying: Bug 24067: Use owner_authorization in current public endpoints Using index info to reconstruct a base tree... M Koha/REST/V1/Patrons.pm M Koha/REST/V1/Patrons/Password.pm Falling back to patching base and 3-way merge... Auto-merging Koha/REST/V1/Patrons/Password.pm Auto-merging Koha/REST/V1/Patrons.pm CONFLICT (content): Merge conflict in Koha/REST/V1/Patrons.pm error: Failed to merge in the changes. Patch failed at 0001 Bug 24067: Use owner_authorization in current public endpoints -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24067 Lari Taskula <lari.taskula@hypernova.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|lari.taskula@hypernova.fi |koha-bugs@lists.koha-commun | |ity.org --- Comment #9 from Lari Taskula <lari.taskula@hypernova.fi> --- (In reply to Michal Denar from comment #7)
Hi Lari, can you rebase this patch?
Thank you.
Sorry I don't currently have the resources to work with this Bug. But if you can and want to help, please! -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org