[Koha-devel] REST API should not advertise required permissions
Jonathan Druart
jonathan.druart at bugs.koha-community.org
Wed Jan 4 16:24:24 CET 2023
> to assign the superlibrarian permission to a service account "just to get it working"
Looks like the equivalent of `sudo chmod -R 777 *` ;)
Le mer. 4 janv. 2023 à 16:11, Galen Charlton <gmc at equinoxoli.org> a écrit :
>
> Hi,
>
> On Tue, Jan 3, 2023 at 7:58 PM David Cook <dcook at prosentient.com.au> wrote:
> > It seems to me that we should just stop at “Authorization failure”. While it
> > might be helpful for a dev to know what the required permissions are,
> > I think it would also be overly helpful for an attacker to know what
> > permissions are required too, no?
>
> I don't feel strongly about it, but lean towards including the details for the sake of anybody trying to use the API. After all, the game is already up if the attacker is able to grant additional permissions to the service account.
>
> This may be a stretch, but another advantage of including the details is to reduce any temptation to assign the superlibrarian permission to a service account "just to get it working".
>
> Regards,
>
> Galen
> --
> Galen Charlton
> Implementation and IT Manager
> Equinox Open Library Initiative
> gmc at equinoxOLI.org
> https://www.equinoxOLI.org
> phone: 877-OPEN-ILS (673-6457)
> direct: 770-709-5581
> _______________________________________________
> Koha-devel mailing list
> Koha-devel at lists.koha-community.org
> https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
> website : https://www.koha-community.org/
> git : https://git.koha-community.org/
> bugs : https://bugs.koha-community.org/
More information about the Koha-devel
mailing list