Backend logic has leaked into the TPAC (and friends)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Confirmed
|
Wishlist
|
Unassigned |
Bug Description
Over the years, a good bit of logic that is arguably the concern of middle layer APIs has leaked into the mod_perl code supporting the TPAC and others. This mod_perl code is really a client of the backend, and not an appropriate place to implement business logic that requires access to backend services, so let's push that code out into backend services where we benefit from the ability to scale, handle failures more transparently, and decrease security risks of client-level access to unauthenticated services.
Part of this will be the creation of an "anonymous" mode for pcrud, which will be able to replace cstore calls that would not, in pcrud, require permissions of any kind. These are a fairly common form of logic leakage.
Additionally, uses of json_query, and authentication-
Changed in evergreen: | |
milestone: | none → 2.next |
status: | New → Confirmed |
tags: |
added: opac removed: tpac |
Here's a branch containing an initial anonymous mode for pcrud.
If the auth token passed is exactly "ANONYMOUS" and there are no permission restrictions attached to the retrieve action for the object, and on of the 'retrieve', 'search', or 'id_list' methods was called, allow the data to flow.
http:// git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/collab/ miker/lp- 1347774- anon_pcrud_ mode