[Koha-bugs] [Bug 17424] New: REST API: Preference to control access to own objects without permission
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Oct 11 13:18:43 CEST 2016
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17424
Bug ID: 17424
Summary: REST API: Preference to control access to own objects
without permission
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Web services
Assignee: koha-bugs at lists.koha-community.org
Reporter: lari.taskula at jns.fi
QA Contact: testopia at bugs.koha-community.org
Introduce a preference to enable/disable access to own objects for patron's
without required permissions.
Bug 14868 added "allow-owner" parameter that allows owner of the object to
perform operations on themselves even if they do not have required permissions
to otherwise do so (e.g. get own patron data or renew your own checkouts even
if you don't have borrowers/circulating permissions). This means patrons can
perform basic OPAC operations via REST API.
However, there should be an option to disable this functionality; as Katrin
pointed out in
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13895#c43 ,
> I can imagine both happening:
> - libraries wanting to shut down any OPAC account functionality, but still
> be able to renew in staff, so the circulation conditions are set up this
> way. In this case, there should be a way to lock the API (opacuserlogin
> might be a way)
> - libraries shutting down the OPAC, because they use something else like an
> external discovery layer. In this case they'd still want to use the API, but
> might turn off the OPAC as far as possible.
I propose a system preference for enabling/disabling access to own objects in
REST API. This way libraries can disable opacuserlogin and any OPAC API
functionality with the new preference. In the second case, libraries can
disable opacuserlogin but still allow OPAC functionality via REST API.
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list