[Koha-bugs] [Bug 21300] New: Restriction of ILS-DI webservice to 1st and 2d level by default
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Aug 31 11:40:29 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=21300
Bug ID: 21300
Summary: Restriction of ILS-DI webservice to 1st and 2d level
by default
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Web services
Assignee: koha-bugs at lists.koha-community.org
Reporter: anne-claire.bernaudin at univ-rennes1.fr
QA Contact: testopia at bugs.koha-community.org
The Koha wiki describes a way of restricting access to ILS-DI through an Apache
configuration :
https://wiki.koha-community.org/wiki/APIs_and_protocols_supported_by_Koha#ILS-DI
"ILS-DI
ILS-DI is self-documenting, so in an installation where it is enabled, you can
get some information about it at the URL:
http://koha-opac.example.org/cgi-bin/koha/ilsdi.pl
Because ILS-DI gives access to all your data (items, patrons...), it should be
restricted by allowing IP in the admin interface and/or by disabling services
via the server.
For Apache, these rules can be added to restrict public access only to the
first and second levels of ILS-DI:
<IfModule mod_rewrite.c>
# Rewrite Rules
RewriteEngine On
# Restricted ILS-DI Access
RewriteCond %{QUERY_STRING}
!(^($|(\??|(.*&))service=(Describe|GetAvailability|GetRecords|GetAuthorityRecords)))
RewriteRule ^/cgi-bin/koha/ilsdi\.pl$ - [R=403,L]
</IfModule>
Because an IP can be easily spoofed, the second way is recommanded."
This would be great to have this restriction setup by default when installing
Koha, and to have the possibility to open level 3 and 4 of ILS-DI only if
needed.
This would be more compliant with GDPR (see bug 18081).
Thanks
Anne-Claire
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list