[Koha-bugs] [Bug 7804] Add Koha Plugin System

Tue May 22 18:06:39 CEST 2012

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7804

--- Comment #28 from Ian Walls <koha.sekjal at gmail.com> ---
It sounds like the basic problem is that with plugins, we don't have any
control over what the heck happens.  A plugin could do anything, from a nice
fancy report to emailing every patron's personal information to a remote
server, then deleting the database.  The only way to prevent this is to block
plugins from running arbitrary code, and only accessing things through a
controlled and authenticated API.  Even then, unintended stuff can happen (like
deleting all your records, or emailing someone something you shouldn't).

It comes down to trust; who do you trust to put code on your system?  Right
now, the Koha community and your sysadmin are the folks with that power.  This
patch opens that up to anyone with the 'upload plugins' permission.  First
order of business is confirming that the patch only goes that far, and doesn't
have any holes that can allow other people to run code.

One possible example: if a user has permission to edit permissions, they can
basically do anything, including edit themselves to be able to upload and run
plugins.  Your circle of trust now has to expand to everyone that has this
power, too.

What about making the GUI upload function of the plugin interface something
that can be deactivated?  Then, only the sysadmin could upload and install
plugins.  This is a person you already trust, and who (likely) is concerned
with security, and will do some of that vetting for you before installing
something that could be potentially harmful.

I like the idea of being able to create new Reports and Tools pages to do
various cool things without having to make them part of Koha proper.  It gets
us around a lot of the Quote123 problem.  But until we can provide a clear,
secure API for Koha functions, or a serious of hooks/filters like Wordpress, I
think user-installable code is going to be a risky proposition.  But, with a
small modification to restrict code uploads to sysadmins only, we can bypass a
lot of the risk with less overall work than a complete M:V:C reimplementation.

-- 
You are receiving this mail because:
You are watching all bug changes.