[Bug 43030] New: Add generic own-resource (self-access) authorization to the REST API
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 Bug ID: 43030 Summary: Add generic own-resource (self-access) authorization to the REST API Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: martin.renvoize@openfifth.co.uk QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com Target Milestone: --- This patch adds a generic mechanism for REST API endpoints to allow access to a caller's own resources without requiring the broader module permission (for example, a staff member managing their own lists, or viewing/editing their own patron record, without list_borrowers/edit_borrowers). Today, authorization is all-or-nothing: an endpoint's x-koha-authorization block requires a specific module permission, with no way to grant reduced access based on ownership of the record. Several controllers (Lists, AdvancedEditorMacro, Patrons/Password, Patrons/SelfRenewal) work around this today with inconsistent, ad hoc ownership checks that do not share a common implementation. This patch introduces: - Koha::Object->is_owned_by($patron) and Koha::Objects->owned_by($patron), a shared ownership interface implemented per class (identity based for Koha::Patron, owner field based for Koha::Virtualshelf) - An allow-owner flag on x-koha-authorization, checked in Koha::REST::V1::Auth, that admits an authenticated caller lacking the module permission when the resource is their own - Koha::REST::Plugin::Objects integration so objects.find and objects.search enforce/scope by ownership automatically, without each controller reimplementing the check, and while continuing to support paging, embeds, and existing query parameters - Write path guards so a caller admitted only via ownership cannot create a resource owned by someone else or reassign ownership away from themselves Permission continues to take priority: a caller who holds the module permission is unaffected and retains full, unrestricted access exactly as today. Ownership is only consulted for callers who lack the permission. Initial scope covers the Lists (virtualshelves) and Patrons endpoints, chosen to exercise both ownership shapes (owner field and identity match). Other existing ad hoc self checks are left as follow up work. Test plan: 1. Apply the patches and run the test suite for the affected modules: prove t/Koha/Object.t t/Koha/Objects.t t/db_dependent/Koha/Virtualshelves.t t/db_dependent/Koha/Patrons.t t/db_dependent/api/v1/patrons.t t/db_dependent/api/v1/lists.t 2. As a staff user without any list/shelf permission, confirm GET /api/v1/lists returns only your own lists, and GET /api/v1/lists/{id} succeeds for your own list and returns 403 for someone else's 3. As a staff user without borrowers permissions, confirm GET and PUT /api/v1/patrons/{patron_id} succeed for your own patron_id and return 403 for another patron_id 4. As a staff user with the relevant module permission, confirm both endpoints behave exactly as before (full, unrestricted access) 5. Confirm creating/updating a list while lacking the module permission cannot set the owner field to another patron -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #1 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201746 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201746&action=edit Bug 43030: Add Koha::Exceptions::Object::NotImplemented Patch from commit fca8357 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #2 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201747 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201747&action=edit Bug 43030: Add Koha::Object->is_owned_by stub method Patch from commit a4edc98 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #3 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201748 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201748&action=edit Bug 43030: Add Koha::Objects->owned_by stub method Patch from commit 2931f0b -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #4 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201749 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201749&action=edit Bug 43030: Add Koha::Patron(s) is_owned_by/owned_by (identity-based ownership) Patch from commit 682dc6d -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #5 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201750 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201750&action=edit Bug 43030: Replace Koha::BackgroundJobs::search_limited with is_owned_by/owned_by Patch from commit da3b542 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #6 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201751 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201751&action=edit Bug 43030: Add allow-owner support to x-koha-authorization Patch from commit 0a214ee -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #7 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201752 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201752&action=edit Bug 43030: Enforce/scope ownership in Koha::REST::Plugin::Objects Patch from commit 108c9c6 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #8 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201753 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201753&action=edit Bug 43030: Map Koha::Exceptions::Authorization::Unauthorized to 403 in unhandled_exception Koha::REST::Plugin::Objects (Task 7) throws this exception from inside objects.find_rs when koha.self_access is set and the caller doesn't own the resource. Controllers wrap their bodies in try/catch calling $c->unhandled_exception($_), which only recognised a small allowlist of exception types and rendered everything else as a generic 500. Add this type to that allowlist, matching the rendering Koha::REST::V1::Auth already uses for the same exception at the authentication gate. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #9 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201754 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201754&action=edit Bug 43030: Allow self-access to /patrons and /patrons/{patron_id} Adds allow-owner to the GET /patrons collection and GET/PUT /patrons/{patron_id} endpoints, so a staff member without list_borrowers/edit_borrowers can still view/edit their own patron record, scoped automatically to just themselves on the collection. update() now fetches via objects.find_rs (Koha::Patrons->new, not ->search_limited) so it goes through the new ownership check without also picking up the unrelated branch-visibility restriction that search_limited applies to get()/list() -- update never had that restriction and picking it up would silently break staff who hold edit_borrowers but not view_borrower_infos_from_any_libraries. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #10 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201755 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201755&action=edit Bug 43030: Allow self-access to /jobs and /jobs/{job_id} Replaces the catalogue:1 baseline permission with parameters:manage_background_jobs plus allow-owner, so a caller who lacks that permission can still see jobs they personally triggered. This also retires the last manual ownership check in Koha::REST::V1::BackgroundJobs::get in favour of the shared objects.find_rs enforcement from Task 7. Behavior change: a patron with zero permissions can now see their own background jobs (by id or in the collection) where they previously got 403 outright. They could already do so if they held the unrelated catalogue permission, so this narrows what permission is required without broadening what any non-privileged caller can ultimately see. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #11 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201756 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201756&action=edit Bug 43030: Point generic auth-permission tests away from /api/v1/patrons t/db_dependent/api/v1/{auth,auth_basic,oauth}.t each used GET /api/v1/patrons purely as a stand-in "some endpoint requiring a permission" to exercise generic 401/403/503 branches in authenticate_api_request. Now that this endpoint allows self-access, a permission-less patron is admitted (scoped to their own record) instead of rejected, so these generic checks now point at DELETE /api/v1/patrons/-1 instead, which still requires delete_borrowers unconditionally. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 --- Comment #12 from Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> --- Created attachment 201757 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201757&action=edit Bug 43030: Add missing POD for Koha::Objects _get_objects_class/DESTROY Pre-existing gap surfaced by QA once this file was touched for owned_by(); unrelated to this bug's actual change but blocks QA on the whole file otherwise. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030 Martin Renvoize (ashimema) <martin.renvoize@openfifth.co.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |martin.renvoize@openfifth.c |ity.org |o.uk -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org