[Bug 36561] New: Inappropriate permission for "/api/v1/auth/password/validation"
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Bug ID: 36561 Summary: Inappropriate permission for "/api/v1/auth/password/validation" Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Web services Assignee: koha-bugs@lists.koha-community.org Reporter: dcook@prosentient.com.au QA Contact: testopia@bugs.koha-community.org Today I was looking to replace a third-party's usage of ILS-DI AuthenticatePatron with the REST API's "/api/v1/auth/password/validation", when I realized that it would mean giving the third-party much greater Koha permission than they currently have. "/api/v1/auth/password/validation" requires the "borrowers" permission, which gives you full access to all borrower data. I don't think that's what we want to give a third-party that really just needs to validate that a patron is an authentic member of Koha. I think that we might need a new permission class. I don't have a perfect name for it yet, but I'm thinking about it. Here's some ideas: - Discovery - External - API - Web services - Third-party -- That way, we can have third-party API users that are narrowly scoped to just what they need to do. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #1 from David Cook <dcook@prosentient.com.au> --- Then again... maybe I'm wrong. Maybe this endpoint just needs a subpermission of "validate_borrowers". That would be a very easy change to make, and it would be backwards compatible, since "borrowers: 1" would already include "validate_borrowers". -- Of course, at some point, we'd need an ILS-DI GetPatronInfo replacement which doesn't reveal everything about the patron, but gives a third-party system enough to work with. Martin has been interested in this topic in terms of scopes that users consent to. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- Of course, part of the issue for these third-party systems is that their API user does things "outside of the context of a user". It would be great to have integrations where they redirect you to Koha, you consent and gives access to particular scopes, and then it redirects you back to the third-party system. And they act on behalf of you as the user but within your context as a user. So those API calls could place holds but only for you as an authenticated user. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=27423 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Created attachment 165447 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165447&action=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |30962 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30962 [Bug 30962] Add POST endpoint for validating a user password -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #1)
Maybe this endpoint just needs a subpermission of "validate_borrowers".
That would be a very easy change to make, and it would be backwards compatible, since "borrowers: 1" would already include "validate_borrowers".
This is the option I've opted for, since it was the most straightforward and backwards compatible. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |minor Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com Status|Needs Signoff |Failed QA --- Comment #5 from David Nind <david@davidnind.com> --- Hi David. I'm not seeing the permission. All I see under "Add, modify and view patron information (borrowers)" are: Delete patrons (delete_borrowers) Add, modify and view patron information (edit_borrowers) Search, list and view patrons (list_borrowers) I see the new permission if I do a reset_all in KTD. Otherwise, as far as I can tell, step 2 of the test plan isn't doing anything (for me anyway). Does this means it needs a database update for existing installations? Not really sure how that should work... David -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to David Nind from comment #5)
I'm not seeing the permission. All I see under "Add, modify and view patron information (borrowers)" are:
Thanks, David! It looks like I missed adding the database update to the commit! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #165447|0 |1 is obsolete| | --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Created attachment 165713 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165713&action=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #165713|0 |1 is obsolete| | --- Comment #8 from David Nind <david@davidnind.com> --- Created attachment 165718 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=165718&action=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #165718|0 |1 is obsolete| | --- Comment #9 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166545 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166545&action=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #10 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166546 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166546&action=edit Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #11 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166547 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166547&action=edit Bug 36561: (QA follow-up) Be consistent with other permission requirements Most subpermissions are not added as a list - updating to mathc others in the file -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com --- Comment #12 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Added a follow-up to match the way other permissions are required in the file - let me know if you had a reason to use a list David -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #166545|0 |1 is obsolete| | --- Comment #13 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166549 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166549&action=edit Bug 36561: Add "validate_borrowers" permission for /api/v1/auth/password/validation This change adds a "validate_borrowers" permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission "validate_borrowers" appears under the "borrowers" permission Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #166546|0 |1 is obsolete| | --- Comment #14 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166550 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166550&action=edit Bug 36561: (QA follow-up) Add exec flag to installer, tidy, fix comment Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Nick Clemens (kidclamp) <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #166547|0 |1 is obsolete| | --- Comment #15 from Nick Clemens (kidclamp) <nick@bywatersolutions.com> --- Created attachment 166551 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166551&action=edit Bug 36561: (QA follow-up) Be consistent with other permission requirements Most subpermissions are not added as a list - updating to mathc others in the file Signed-off-by: Nick Clemens <nick@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Failed QA Keywords| |release-notes-needed, | |rel_24_05_candidate --- Comment #16 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I feel like the permission description as is might cause some confusion around staff, especially as it's currently only used on the API and has no effect in the interface. Suggestion: Verify user credentials via REST API I am not super happy about having a permission that only really makes sense for the API right now, but not sure what else we could do? Also: Should we do a database update assigning this permission to users with borrowers permission currently? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Brendan Lawlor <blawlor@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blawlor@clamsnet.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #17 from David Cook <dcook@prosentient.com.au> --- (In reply to Katrin Fischer from comment #16)
I feel like the permission description as is might cause some confusion around staff, especially as it's currently only used on the API and has no effect in the interface.
Suggestion: Verify user credentials via REST API
That's a good point. I'd be happy with that suggestion.
I am not super happy about having a permission that only really makes sense for the API right now, but not sure what else we could do?
I agree that it feels weird, but I think over time it'll make more sense, especially if we grouped them. The other day I was setting up a SIP2 user, and I had no idea what permissions it should have. I patterned it off a previous one I'd set up, but it got me thinking how many unintended consequences can occur from our current permissions, especially in terms of interplay with the API. Realistically, you just want a SIP user to be able to connect to the SIP server and do SIP operations. I think many of us know our permission system is overdue for an overhaul, but no one is sure what direction to go. (I recall Martin suggesting how the Koha Foundation getting a consultant could be handy for architectural directions, and this is one that could be a good target...)
Also: Should we do a database update assigning this permission to users with borrowers permission currently?
No, because the "borrowers" permission is already the top level, and they implicitly have this permission. We'd just want to encourage people to use this fine-grained permission moving forward. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |nick@bywatersolutions.com |y.org | CC| |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #18 from David Cook <dcook@prosentient.com.au> --- I think we're a bit stuck here at the moment. What are we doing next to move this along? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37144 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #19 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #18)
I think we're a bit stuck here at the moment. What are we doing next to move this along?
Maybe we're better off exploring bug 37144 for now. My initial reasoning for this validate_borrowers permission was that I was uncomfortable with giving full blown "borrowers" permission to a third-party. But if it was a limited view... that wouldn't be so bad. Maybe we could change from "borrowers: 1" to "bororwers: list_borrowers" coupled with bug 37144... that could be doable. (Then the main issue I see is being able to enumerate the borrowers using an increasing integer, but I don't think we're going to replace borrowernumber with a UUID any time soon...) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #20 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #19)
Maybe we're better off exploring bug 37144 for now. My initial reasoning for this validate_borrowers permission was that I was uncomfortable with giving full blown "borrowers" permission to a third-party.
Of course, I think bug 37144 has a long way to go before it's ready... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #21 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #17)
(In reply to Katrin Fischer from comment #16)
I feel like the permission description as is might cause some confusion around staff, especially as it's currently only used on the API and has no effect in the interface.
Suggestion: Verify user credentials via REST API
That's a good point. I'd be happy with that suggestion.
I was thinking about this again... and I think that this is the approach I'll take. I thought about created an "External Web Services" top-level permission, but "validate_borrowers" is the only permission I could think to add to it. Looking at /cgi-bin/koha/ilsdi.pl and everything else is really covered by our existing permissions. "AuthenticatePatron" is the only exception. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #22 from David Cook <dcook@prosentient.com.au> --- That said, sometimes, I think about discovery interfaces, and think it would be great to have permissions for doing things on behalf of an authenticated patron. For instance, Patron A supplies username and password to VuFind, and VuFind does the lookup using "/api/v1/auth/password/validation", and then VuFind is authorized to do things on behalf of only that patron. Of course, that's the point of OAuth2/SSO. VuFind should redirect to Koha, the user logs into Koha, gives consent to certain scopes, and then is redirected back to VuFind with an OAuth2 token, which can then be used for Koha API operations *as the borrower/patron*. Regardless, we do still have systems (like my Keycloak Koha backend SSO extension) that need to do system to system lookups without user involvement. -- Beyond "validate_borrowers", I could imagine a "lookup_borrower" for the ILS-DI LookupPatron type operation. You'd first use "/api/v1/auth/password/validation" and then lookup "/api/v1/patrons/51" (or perhaps a third-party specific endpoint) but only get a minimal record back. -- Anyway, for now we may as well just put them under "borrowers" with a special description... we can always move them under a "external_web_services" permission or something later. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #23 from David Cook <dcook@prosentient.com.au> --- (In reply to Katrin Fischer from comment #16)
Also: Should we do a database update assigning this permission to users with borrowers permission currently?
Actually, I think you're right here. I think that I've misunderstood what the permission 'borrowers: "1"' means! I thought that it meant that you had to have the top level "borrowers" permission, but it actually means that you can have *any* borrowers permission. Looking at the rest of the API spec... I get the feeling that we've made mistakes for other endpoints too... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #24 from David Cook <dcook@prosentient.com.au> --- In the wild, we typically see third-parties using ILS-DI "AuthenticatePatron" then ILS-DI "GetPatronInfo", and really... that's leaking more information than I'd like. We could try to replace it with "/api/v1/auth/password/validation" and "/api/v1/patrons/XXX" (which is what I use in my Keycloak SSO extension which uses Koha as the user database), but "/api/v1/patrons/XXX" also leaks a lot of data plus with x-koha-embed I think it has the capacity to leak even more data than we realize. I think that we've been so focused on the REST API in terms of Koha CRUD and convenience that we haven't really thought about how it can be used (securely) by third-parties. Going back to bug 37144... maybe we should have an endpoint "/api/v1/patron_profiles/XXX". The patron profile would sit in front of the actual patron data, and ideally be configurable... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart@gmail.com, | |kyle.m.hall@gmail.com, | |kyle@bywatersolutions.com, | |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #25 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #23)
(In reply to Katrin Fischer from comment #16)
Also: Should we do a database update assigning this permission to users with borrowers permission currently?
Actually, I think you're right here. I think that I've misunderstood what the permission 'borrowers: "1"' means!
I thought that it meant that you had to have the top level "borrowers" permission, but it actually means that you can have *any* borrowers permission.
Looking at the rest of the API spec... I get the feeling that we've made mistakes for other endpoints too...
I'm not sure why I thought this previously... I just tested it and '"borrowers": "1"' does indeed mean that the user must have all the borrowers subpermissions. So no we wouldn't need to do a database update, since anyone who currently can use this endpoint has all subpermissions already. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lucas@bywatersolutions.com --- Comment #26 from David Cook <dcook@prosentient.com.au> --- *** Bug 40441 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Patch complexity|--- |Trivial patch Status|Failed QA |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #166549|0 |1 is obsolete| | Attachment #166550|0 |1 is obsolete| | Attachment #166551|0 |1 is obsolete| | --- Comment #27 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184590 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184590&action=edit Bug 36561: Add new permission `api_validate_password` This change adds a `api_validate_password` permission which allows a user to only validate borrowers by using the /api/v1/auth/password/validation endpoint. This avoids scenarios where you want third-parties to authenticate a user without giving them full permissions to perform CRUD operations on user data. To test: 1. Apply patch 2. Run "koha-upgrade-schema kohadev" 3. koha-plack --reload kohadev 4. prove -v t/db_dependent/api/v1/password_validation.t 5. Visit http://localhost:8081/cgi-bin/koha/members/member-flags.pl?member=51 6. Note that a new subpermission `api_validate_password` appears under the "borrowers" permission Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #28 from Tomás Cohen Arazi (tcohen) <tomascohen@gmail.com> --- Created attachment 184591 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184591&action=edit Bug 36561: Make /auth/password/validation use new permission This patch updates the /auth/password/validation endpoint to use the new api_validate_password permission instead of the generic borrowers permission. This provides more granular control over who can use the password validation API endpoint. To test: 1. Apply this patches 2. Rebuild the API spec $ ktd --shell k$ yarn api:bundle 3. Run: $ ktd --shell k$ prove t/db_dependent/api/v1/password_validation.t => SUCCESS: Tests pass! 4. Sign off :-D Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Nick Clemens <nick@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |25.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #29 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Nice work everyone! Pushed to main for 25.11 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_24_05_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This change adds a new release notes| |borrower subpermission | |"api_validate_password" | |with the description | |"Validate patron passwords | |using the API". This | |permission allows API | |borrower accounts, | |especially for | |third-parties, the ability | |to authenticate users | |without needing full | |create-read-update-delete | |(CRUD) permissions. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Lucas Gass (lukeg) <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |additional_work_needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #30 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- We need a small follow-up here to make tests ( t/Koha/Auth/Permissions.t ) pass. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #31 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- Created attachment 184630 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=184630&action=edit Bug 36561: Add new permission to t/Koha/Auth/Permissions.t test -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #32 from Lucas Gass (lukeg) <lucas@bywatersolutions.com> --- follow-up pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Paul Derscheid <paul.derscheid@lmscloud.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to main |Pushed to stable Version(s)|25.11.00 |25.11.00,25.05.04 released in| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #33 from Paul Derscheid <paul.derscheid@lmscloud.de> --- Nice work everyone! Pushed to 25.05.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40023 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m Status|Pushed to stable |Needs documenting --- Comment #34 from Fridolin Somers <fridolin.somers@biblibre.com> --- More like an enhancement, I prefer not backport to 24.11.x LTS -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 --- Comment #35 from David Cook <dcook@prosentient.com.au> --- (In reply to Fridolin Somers from comment #34)
More like an enhancement, I prefer not backport to 24.11.x LTS
That's a good point. I think I was so keen to "fix the permissions", but in terms of functionality and user experience... it would make more sense to call it an enhancement. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|release-notes-needed | Resolution|--- |FIXED Status|Needs documenting |RESOLVED --- Comment #36 from David Nind <david@davidnind.com> --- No changes to the manual required. I think a follow-up was pushed, so have removed 'additional_work_needed' - please add back if that is not the case. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36561 Jonathan Druart <jonathan.druart@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|additional_work_needed | -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org