[Koha-devel] REST API should not advertise required permissions
Galen Charlton
gmc at equinoxoli.org
Wed Jan 4 16:11:12 CET 2023
Hi,
On Tue, Jan 3, 2023 at 7:58 PM David Cook <dcook at prosentient.com.au> wrote:
> It seems to me that we should just stop at “Authorization failure”. While
it
> might be helpful for a dev to know what the required permissions are,
> I think it would also be overly helpful for an attacker to know what
> permissions are required too, no?
I don't feel strongly about it, but lean towards including the details for
the sake of anybody trying to use the API. After all, the game is already
up if the attacker is able to grant additional permissions to the service
account.
This may be a stretch, but another advantage of including the details is to
reduce any temptation to assign the superlibrarian permission to a service
account "just to get it working".
Regards,
Galen
--
Galen Charlton
Implementation and IT Manager
Equinox Open Library Initiative
gmc at equinoxOLI.org
https://www.equinoxOLI.org
phone: 877-OPEN-ILS (673-6457)
direct: 770-709-5581
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20230104/fdf7372c/attachment.htm>
More information about the Koha-devel
mailing list