From a5f3815c65c8aaa7d1f7641d4cf8550011729fe1 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Tue, 12 Sep 2023 10:25:36 +0100 Subject: [PATCH] Bug 34287: Add check on public availability endpoint A quick check for patron equals current user in the public availability endpoint. Signed-off-by: Katrin Fischer Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi --- api/v1/swagger/paths/checkouts.yaml | 2 ++ t/db_dependent/api/v1/checkouts.t | 5 ++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/api/v1/swagger/paths/checkouts.yaml b/api/v1/swagger/paths/checkouts.yaml index cd07123aff..f38c1e25e6 100644 --- a/api/v1/swagger/paths/checkouts.yaml +++ b/api/v1/swagger/paths/checkouts.yaml @@ -411,3 +411,5 @@ description: Under maintenance schema: $ref: "../swagger.yaml#/definitions/error" + x-koha-authorization: + allow-owner: true diff --git a/t/db_dependent/api/v1/checkouts.t b/t/db_dependent/api/v1/checkouts.t index d97c9a9ae6..8c16f1f88e 100755 --- a/t/db_dependent/api/v1/checkouts.t +++ b/t/db_dependent/api/v1/checkouts.t @@ -342,9 +342,8 @@ subtest 'get_availability' => sub { $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(401); # Only allow availability lookup for self - $t->get_ok( - "//$userid:$password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id" - )->status_is(403); + $t->get_ok("//$userid:$password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id") + ->status_is(403); # All ok $t->get_ok(