Browse Source

Bug 22227: Make GET /cities staff only

This patch removes the possibility to access the city objects without
privileged access (minimum permissions == catalogue).

It does so by adding the required permissions to the spec. The tests are
adjusted.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/cities.t
=> SUCCESS: Tests pass!
- Sign off :-D

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
19.05.x
Tomás Cohen Arazi 4 years ago
committed by Nick Clemens
parent
commit
6aadbcc4be
  1. 10
      api/v1/swagger/paths/cities.json
  2. 5
      t/db_dependent/api/v1/cities.t

10
api/v1/swagger/paths/cities.json

@ -60,6 +60,11 @@
"$ref": "../definitions.json#/error"
}
}
},
"x-koha-authorization": {
"permissions": {
"catalogue": "1"
}
}
},
"post": {
@ -153,6 +158,11 @@
"$ref": "../definitions.json#/error"
}
}
},
"x-koha-authorization": {
"permissions": {
"catalogue": "1"
}
}
},
"put": {

5
t/db_dependent/api/v1/cities.t

@ -45,8 +45,7 @@ subtest 'list() tests' => sub {
$schema->storage->txn_begin;
Koha::Cities->search->delete;
my ( $borrowernumber, $session_id ) =
create_user_and_session( { authorized => 0 } );
my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
## Authorized user tests
# No cities, so empty array should be returned
@ -116,7 +115,7 @@ subtest 'get() tests' => sub {
$schema->storage->txn_begin;
my $city = $builder->build_object({ class => 'Koha::Cities' });
my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 0 });
my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
my $tx = $t->ua->build_tx( GET => "/api/v1/cities/" . $city->id );
$tx->req->cookies({ name => 'CGISESSID', value => $session_id });

Loading…
Cancel
Save