[Koha-bugs] [Bug 14868] REST API: Swagger2-driven permission checking

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Thu Jun 30 15:53:19 CEST 2016 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14868

Johanna Räisä <johanna.raisa at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #52981|0                           |1
        is obsolete|                            |

--- Comment #17 from Johanna Räisä <johanna.raisa at gmail.com> ---
Created attachment 52992
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=52992&action=edit
[SIGNED-OFF] Bug 14868: Swagger2-driven Permission checking

A hasty downgrade from 13920, utilizing new features implemented by the
Mojolicious::Plugin::Swagger2-author, to make it possible to implement more
complex authentication/authorization scenarios with the Plugin.

Define 'x-koha-permission' for the Swagger2 Operation Object, to automatically
authorize against the required permissions.

This way we immediately tell the API consumer in the Swagger2-definition, which
permissions are needed to access defined resources.
Also we don't need to maintain permissions in multiple locations and we can
build
a smart testing framework to help a lot in creating tests for the new REST API.

Rebase notes from 2015-09-22 to 2016-06-20:
- In patrons.t, change expected HTTP 403 to 401 when accessing the endpoint
  without authentication (401 = not authenticated, 403 = authenticated, but no
  permission).

Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti at jns.fi>

My name is Olli-Antti Kivilahti and I approve this commit.
We have been using the Swagger2.0-driven REST API on Mojolicious for 1 year now
in production and I am certain we have a pretty good idea on how to work with
the limitations of Swagger2.0
We participated in the development of the Mojolicious::Plugin::Swagger and know
it well. We have made an extension to the plugin to provide full CORS support
and have been building all our in-house features on the new REST API.

Signed-off-by: Johanna Raisa <johanna.raisa at gmail.com>

My name is Johanna Räisä and I approve this commit.
We have been using Swagger2.0-driven REST API in production successfully.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list