[Koha-bugs] [Bug 28157] Add the ability to set a library from which an API request pretends to come from

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28157

--- Comment #14 from David Cook <dcook at prosentient.com.au> ---
(In reply to Martin Renvoize from comment #13)
> (In reply to David Cook from comment #11)
> > I do not understand this at all. In terms of AuthN and AuthZ, you'd want to
> > use the user, so the user session should determine the library...
> > 
> > Why include the library in the route? I think that I must be missing
> > something here.
> 
> Because... with a non-api login you have a cookie with context.. that
> context include a library for your current session.. it may, or may not
> match the users homebranch. (You can switch library after all.. assuming
> you've not set independent branches).
> 
> In the API, we don't have such a context.. the user may be at their
> homebranch.. or they may be elsewhere.. so we need some way of conveying
> that the the API for routes that require that data.
>

I think that I understand what you're saying, but I still don't understand why
it would matter. 

If it's about determining which rules to apply to which branch, surely that
branch data should be set in the user session? Why embed it in the API?

> Tomas and I discussed is and agreed that long term.. API v2 long term.. we
> should actually move any routes that require such context under
> /libraries/library_id/whatever/action.. but that's a big change, so for v1
> to get the functionality we opted to add an optional header for it.. which
> defaults to the users homebranch if not passed.

Do you have any concrete examples? I can't really think of any similar API
endpoints in other systems that would be like that?

> Hope that helps clarify David.

Not really but I really appreciate you taking the time to try to clarify it for
me :).

-- 
You are receiving this mail because:
You are watching all bug changes.