[Bug 20407] New: Hide some fields from unauthoriezd users
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Bug ID: 20407 Summary: Hide some fields from unauthoriezd users Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST api Assignee: koha-bugs@lists.koha-community.org Reporter: alex.arnaud@biblibre.com The main goal here is to be able to make some fields/properties/columns "non public" to unauthorized people ( permission => catalogue ) by setting a "x-public" key to false in Swagger definitions files. Patch is coming... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 --- Comment #1 from Alex Arnaud <alex.arnaud@biblibre.com> --- Created attachment 72891 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72891&action=edit Bug 20407 - REST API: Ability to hide fields from unauthorized users Test plan: - apply this patch, - edit api/v1/swagger/definitions/city.json, - remove the keys "country" and "postal_code" from required, - add a key "x-public": false for country and postal_code "postal_code": { "description": "city postal code", "type": ["string", "null"], "x-public": false }, "country": { "description": "city country", "type": ["string", "null"], "x-public": false } - logout from Koha and go to api/v1/cities, - you should not see country and postal_code, - login to Koha and refresh api/v1/cities, - you should see country and postal_code -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Alex Arnaud <alex.arnaud@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |alex.arnaud@biblibre.com |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Alex Arnaud <alex.arnaud@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #72891|0 |1 is obsolete| | --- Comment #2 from M. Tompsett <mtompset@hotmail.com> --- Created attachment 72982 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=72982&action=edit Bug 20407 - REST API: Ability to hide fields from unauthorized users Test plan: - apply this patch, - edit api/v1/swagger/definitions/city.json, - remove the keys "country" and "postal_code" from required, - add a key "x-public": false for country and postal_code "postal_code": { "description": "city postal code", "type": ["string", "null"], "x-public": false }, "country": { "description": "city country", "type": ["string", "null"], "x-public": false } - logout from Koha and go to api/v1/cities, - you should not see country and postal_code, - login to Koha and refresh api/v1/cities, - you should see country and postal_code NOTE: Make sure to go to Koha administration and add cities before testing. Signed-off-by: Mark Tompsett <mtompset@hotmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 M. Tompsett <mtompset@hotmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |mtompset@hotmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Hide some fields from |Hide some fields from |unauthoriezd users |unauthorized users CC| |katrin.fischer@bsz-bw.de -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com --- Comment #3 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- The slightly more accepted way of doing this to date that I have seen is to reduce the default response to only contain public fields and set the private fields to need explicitly requesting in the api call. This way, rather than sending back a 200 with varying content you send back either a 200 with what the consumer has asked for (or is expecting) or you send back a 401 Unauthorized and the client knows to authenticate). The principle of Least Surprise. I do like the x-public way of defining it in the spec though.. :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- URL| |https://wiki.koha-community | |.org/wiki/Partial_resources | |_RFC -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |In Discussion --- Comment #4 from Tomás Cohen Arazi <tomascohen@gmail.com> --- On a recent dev meeting it was voted to have a separate namespace (/public) for public facing endpoints. So while the logic here is valuable, this bug won't see progress as-is. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20407 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |RESOLVED Resolution|--- |WONTFIX --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- We implemented the separate /public namespace already. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org