[Koha-bugs] [Bug 14868] REST API: Swagger2-driven permission checking

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Mon Aug 15 12:00:28 CEST 2016 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14868

Lari Taskula <larit at student.uef.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #52993|0                           |1
        is obsolete|                            |

--- Comment #25 from Lari Taskula <larit at student.uef.fi> ---
Created attachment 54458
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=54458&action=edit
Bug 14868: Give users possibility to request their own object

Allow access to user's own objects even if they do not have required
permissions.
This will be very useful in many cases where an user wants to request their own
object, for example renewing their checkouts or placing a hold for themselves.

First, this patch renames "x-koha-permission" to "x-koha-authorization" in
order
to describe the new functionality better.

Second, we can now add two extra parameters under "x-koha-authorization":
- "allow-owner"; Allows the owner of object to access it (without permission)
- "allow-guarantor"; Allows guarantor of the owner of object to access it
                     (without permission)

Third, since permission checking is outside of actual controller, we need a way
to find out ownership from different types of parameters, e.g. checkout_id from
/checkouts/{checkout_id}, borrowernumber from /patrons/{borrowernumber} etc.
A solution is to match the parameter with a subroutine that is designed to
verify
the ownership for that object. See the new subroutines in Koha::REST::V1.

To use this functionality you will simply define it in Swagger:
"/patrons/{borrowernumber}": {
  "get": {
    ...,
    "x-koha-authorization": {
      "allow-owner": true,
      "permissions": {
        "borrowers": "1"
      }
    }
  }
}

If a parameter that is not yet defined in
Koha::REST::V1::check_object_ownership,
you also need to define it and implement a subroutine that determines
ownership.

Tests are provided in a following patch that adds this functionality for
current
API operations.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list