[Koha-bugs] [Bug 14868] REST API: Swagger2-driven permission checking
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Aug 29 11:23:22 CEST 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14868
--- Comment #42 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
Comment on attachment 54895
--> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=54895
Bug 14868: Give users possibility to request their own object
Review of attachment 54895:
--> (https://bugs.koha-community.org/bugzilla3/page.cgi?id=splinter.html&bug=14868&attachment=54895)
-----------------------------------------------------------------
::: Koha/REST/V1.pm
@@ +203,5 @@
> +
> +sub _object_ownership_by_borrowernumber {
> + my ($c, $user, $borrowernumber) = @_;
> +
> + return $user->borrowernumber == $borrowernumber;
I think it's not that easy. For instance at the OPAC, a patron is not allowed
to update his own details, it will need to be approved by a staff member.
Using the REST API he will be able to bypass the approval.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list