[Bug 40441] New: /auth/password/validation ( validateUserAndPassword ) requires too much permissions
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 Bug ID: 40441 Summary: /auth/password/validation ( validateUserAndPassword ) requires too much permissions Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: lucas@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: tomascohen@gmail.com In the API swagger definition for validateUserAndPassword: 1184 x-koha-authorization: 1185 permissions: 1186 borrowers: "1" Requiring the top level permission is more than should be needed. It shouldn't need delete_borrowers or send_messages_to_borrowers. We should add a new sub-permission for borrowers like 'api_validate_password' -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | Status|NEW |ASSIGNED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |DUPLICATE --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I agree. I have patches on bug 36561. Can you take a look there? I think Katrin marked it as Failed QA from Passed QA, although I don't know why. *** This bug has been marked as a duplicate of bug 36561 *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 --- Comment #2 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184588 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184588&action=edit Bug 40441: Add new permission api_validate_password This patch adds a new permission 'api_validate_password' that will be used to control access to the /auth/password/validation endpoint. The permission is added to: - userpermissions.sql for new installations - permissions.inc for display in the staff interface - atomic update script for existing installations Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 --- Comment #3 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184589 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184589&action=edit Bug 40441: Make /auth/password/validation use new permission This patch updates the /auth/password/validation endpoint to use the new api_validate_password permission instead of the generic borrowers permission. This provides more granular control over who can use the password validation API endpoint. Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40441 --- Comment #4 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- (In reply to David Cook from comment #1)
I agree. I have patches on bug 36561. Can you take a look there?
I think Katrin marked it as Failed QA from Passed QA, although I don't know why.
*** This bug has been marked as a duplicate of bug 36561 ***
Oops. Will do. Do you think we could go with my permission name/description? I believe is more accurate on the scope. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org