http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7804
--- Comment #28 from Ian Walls <[email protected]> --- It sounds like the basic problem is that with plugins, we don't have any control over what the heck happens. A plugin could do anything, from a nice fancy report to emailing every patron's personal information to a remote server, then deleting the database. The only way to prevent this is to block plugins from running arbitrary code, and only accessing things through a controlled and authenticated API. Even then, unintended stuff can happen (like deleting all your records, or emailing someone something you shouldn't). It comes down to trust; who do you trust to put code on your system? Right now, the Koha community and your sysadmin are the folks with that power. This patch opens that up to anyone with the 'upload plugins' permission. First order of business is confirming that the patch only goes that far, and doesn't have any holes that can allow other people to run code. One possible example: if a user has permission to edit permissions, they can basically do anything, including edit themselves to be able to upload and run plugins. Your circle of trust now has to expand to everyone that has this power, too. What about making the GUI upload function of the plugin interface something that can be deactivated? Then, only the sysadmin could upload and install plugins. This is a person you already trust, and who (likely) is concerned with security, and will do some of that vetting for you before installing something that could be potentially harmful. I like the idea of being able to create new Reports and Tools pages to do various cool things without having to make them part of Koha proper. It gets us around a lot of the Quote123 problem. But until we can provide a clear, secure API for Koha functions, or a serious of hooks/filters like Wordpress, I think user-installable code is going to be a risky proposition. But, with a small modification to restrict code uploads to sysadmins only, we can bypass a lot of the risk with less overall work than a complete M:V:C reimplementation. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
