[Koha-devel] REST API should not advertise required permissions
David Cook
dcook at prosentient.com.au
Wed Jan 4 01:58:40 CET 2023
Hi all,
I just noticed the following error while testing the REST API:
{"error":"Authorization failure. Missing required
permission(s).","required_permissions":{"borrowers":"1"}}
It seems to me that we should just stop at "Authorization failure". While it
might be helpful for a dev to know what the required permissions are, I
think it would also be overly helpful for an attacker to know what
permissions are required too, no?
I suppose Koha is open source, so it wouldn't be hard for them to look them
up anyway, but it just seems odd?
David Cook
Senior Software Engineer
Prosentient Systems
Suite 7.03
6a Glen St
Milsons Point NSW 2061
Australia
Office: 02 9212 0899
Online: 02 8005 0595
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20230104/d1f03e6a/attachment.htm>
More information about the Koha-devel
mailing list