[Koha-bugs] [Bug 13895] Add API routes for checkouts retrieval and renewal

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Aug 23 13:21:35 CEST 2016 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13895

--- Comment #35 from Lari Taskula <larit at student.uef.fi> ---
(In reply to Katrin Fischer from comment #34)
> >Let user access their own checkouts and if OpacRenewalAllowed system preference
> >is on, also let user to renew their checkouts.
> 
> I am concerned about this kind of behaviour. Would it mean that any user
> (without any permission) can do this using the REST API as long as they can
> get access to a valid session cookie/log into the OPAC?
Yes, only for their own checkouts. Of course appropriate system preferences
need to be considered, as you mentioned:

> This checks for OpacRenewalAllowed, but what about opacuserlogin?
Great suggestion, I totally ignored opacuserlogin. I think it is very important
to also check opacuserlogin here and in other operations where this type of
behaviour would be useful.

There are many operations where it would be useful to let resource owner to
access their own data even if they have no special permissions for it
(checkouts/history, holds, accountlines, patron info, password change etc.).
For this behaviour, I have proposed a patch in Bug 14868 which will centralize
that feature so we don't have to check permissions/ownership in each controller
over and over again, and also for each operation will add permission
documentation into Swagger. Perhaps opacuserlogin could be considered there and
restrict access to this behaviour in every operation, if it is disabled.

> Could we make this behaviour optional?
I'm not fully sure I understand your concern enough to see why it should have
extra optionality, if this behaviour is already enabled in OPAC. If your main
concern was opacuserlogin, then I think it is enough to consider it. Are there
some other preferences that should also be considered?

Thanks for the comment Katrin, very much appreciated!

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list