REST API should not advertise required permissions
Hi all, I just noticed the following error while testing the REST API: {"error":"Authorization failure. Missing required permission(s).","required_permissions":{"borrowers":"1"}} It seems to me that we should just stop at "Authorization failure". While it might be helpful for a dev to know what the required permissions are, I think it would also be overly helpful for an attacker to know what permissions are required too, no? I suppose Koha is open source, so it wouldn't be hard for them to look them up anyway, but it just seems odd? David Cook Senior Software Engineer Prosentient Systems Suite 7.03 6a Glen St Milsons Point NSW 2061 Australia Office: 02 9212 0899 Online: 02 8005 0595
Hi, On Tue, Jan 3, 2023 at 7:58 PM David Cook <dcook@prosentient.com.au> wrote:
It seems to me that we should just stop at “Authorization failure”. While it might be helpful for a dev to know what the required permissions are, I think it would also be overly helpful for an attacker to know what permissions are required too, no?
I don't feel strongly about it, but lean towards including the details for the sake of anybody trying to use the API. After all, the game is already up if the attacker is able to grant additional permissions to the service account. This may be a stretch, but another advantage of including the details is to reduce any temptation to assign the superlibrarian permission to a service account "just to get it working". Regards, Galen -- Galen Charlton Implementation and IT Manager Equinox Open Library Initiative gmc@equinoxOLI.org https://www.equinoxOLI.org phone: 877-OPEN-ILS (673-6457) direct: 770-709-5581
to assign the superlibrarian permission to a service account "just to get it working"
Looks like the equivalent of `sudo chmod -R 777 *` ;) Le mer. 4 janv. 2023 à 16:11, Galen Charlton <gmc@equinoxoli.org> a écrit :
Hi,
On Tue, Jan 3, 2023 at 7:58 PM David Cook <dcook@prosentient.com.au> wrote:
It seems to me that we should just stop at “Authorization failure”. While it might be helpful for a dev to know what the required permissions are, I think it would also be overly helpful for an attacker to know what permissions are required too, no?
I don't feel strongly about it, but lean towards including the details for the sake of anybody trying to use the API. After all, the game is already up if the attacker is able to grant additional permissions to the service account.
This may be a stretch, but another advantage of including the details is to reduce any temptation to assign the superlibrarian permission to a service account "just to get it working".
Regards,
Galen -- Galen Charlton Implementation and IT Manager Equinox Open Library Initiative gmc@equinoxOLI.org https://www.equinoxOLI.org phone: 877-OPEN-ILS (673-6457) direct: 770-709-5581 _______________________________________________ Koha-devel mailing list Koha-devel@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel website : https://www.koha-community.org/ git : https://git.koha-community.org/ bugs : https://bugs.koha-community.org/
participants (3)
-
David Cook -
Galen Charlton -
Jonathan Druart