[Bug 22216] New: Make {GET|PUT} /patrons/{patron_id} staff only
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Bug ID: 22216 Summary: Make {GET|PUT} /patrons/{patron_id} staff only Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: REST api Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com Target Milestone: --- Now that we voted to have a /public namespace for unprivileged access endpoints, the existing /patrons endpoint needs to be adapted. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |22061 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22061 [Bug 22061] Public route to change password -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |22218 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22218 [Bug 22218] Make endpoints not in /public require privileged credentials [OMNIBUS] -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Make {GET|PUT} |Make GET |/patrons/{patron_id} staff |/patrons/{patron_id} staff |only |only -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 --- Comment #1 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Created attachment 84506 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=84506&action=edit Bug 22216: Make GET /patrons/{patron_id} staff only This patch removes the possibility to access the patron object identified by patron_id by the patron itself, or a guarantor. It does so by removing the permissions from the spec. The tests are adjusted to remove that use case. To test: - Apply this patch - Run: $ kshell k$ prove t/db_dependent/api/v1/patrons.t => SUCCESS: Tests pass! - Sign off :-D -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Bug 22216 depends on bug 22061, which changed state. Bug 22061 Summary: Public route to change password https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22061 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #84506|0 |1 is obsolete| | --- Comment #2 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 85059 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=85059&action=edit Bug 22216: Make GET /patrons/{patron_id} staff only This patch removes the possibility to access the patron object identified by patron_id by the patron itself, or a guarantor. It does so by removing the permissions from the spec. The tests are adjusted to remove that use case. To test: - Apply this patch - Run: $ kshell k$ prove t/db_dependent/api/v1/patrons.t => SUCCESS: Tests pass! - Sign off :-D Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com Status|Needs Signoff |Signed Off --- Comment #3 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Works well for me, signing off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Looks good but this patch removes those lines that tested allow-owner functionality. And now we have this 'feature' but no tests? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 --- Comment #5 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Marcel de Rooy from comment #4)
Looks good but this patch removes those lines that tested allow-owner functionality. And now we have this 'feature' but no tests?
The resources in /patrons/ are no longer accessible by unprivileged users. New endpoints will be added that will use it, in the /public namespace. There's uno already in master: bug 22061. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #85059|0 |1 is obsolete| | --- Comment #6 from Josef Moravec <josef.moravec@gmail.com> --- Created attachment 85319 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=85319&action=edit Bug 22216: Make GET /patrons/{patron_id} staff only This patch removes the possibility to access the patron object identified by patron_id by the patron itself, or a guarantor. It does so by removing the permissions from the spec. The tests are adjusted to remove that use case. To test: - Apply this patch - Run: $ kshell k$ prove t/db_dependent/api/v1/patrons.t => SUCCESS: Tests pass! - Sign off :-D Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Josef Moravec <josef.moravec@gmail.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Josef Moravec <josef.moravec@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moravec@gmail.com QA Contact| |josef.moravec@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Nick Clemens <nick@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #7 from Nick Clemens <nick@bywatersolutions.com> --- Awesome work all! Pushed to master for 19.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22216 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Pushed to Master |RESOLVED --- Comment #8 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Change of behaviour, will not be backported to the stable 18.11.x series. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org