Browse Source

Bug 13799: Add cookie-based authentication to REST API

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
3.22.x
Julian Maurice 8 years ago
committed by Tomas Cohen Arazi
parent
commit
b4c6ad6603
  1. 14
      Koha/REST/V1.pm
  2. 22
      Koha/REST/V1/Borrowers.pm
  3. 12
      api/v1/swagger.json

14
Koha/REST/V1.pm

@ -3,15 +3,23 @@ package Koha::REST::V1;
use Modern::Perl;
use Mojo::Base 'Mojolicious';
use C4::Auth qw( check_cookie_auth get_session );
use Koha::Borrowers;
sub startup {
my $self = shift;
my $route = $self->routes->under->to(
cb => sub {
my $c = shift;
my $user = $c->param('user');
# Do the authentication stuff here...
$c->stash('user', $user);
my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'));
if ($status eq "ok") {
my $session = get_session($sessionID);
my $user = Koha::Borrowers->find($session->param('number'));
$c->stash('koha.user' => $user);
}
return 1;
}
);

22
Koha/REST/V1/Borrowers.pm

@ -4,11 +4,17 @@ use Modern::Perl;
use Mojo::Base 'Mojolicious::Controller';
use C4::Auth qw( haspermission );
use Koha::Borrowers;
sub list_borrowers {
my ($c, $args, $cb) = @_;
my $user = $c->stash('koha.user');
unless ($user && haspermission($user->userid, {borrowers => 1})) {
return $c->$cb({error => "You don't have the required permission"}, 403);
}
my $borrowers = Koha::Borrowers->search;
$c->$cb($borrowers->unblessed, 200);
@ -17,13 +23,21 @@ sub list_borrowers {
sub get_borrower {
my ($c, $args, $cb) = @_;
my $borrower = Koha::Borrowers->find($args->{borrowernumber});
my $user = $c->stash('koha.user');
if ($borrower) {
return $c->$cb($borrower->unblessed, 200);
unless ( $user
&& ( $user->borrowernumber == $args->{borrowernumber}
|| haspermission($user->userid, {borrowers => 1}) ) )
{
return $c->$cb({error => "You don't have the required permission"}, 403);
}
my $borrower = Koha::Borrowers->find($args->{borrowernumber});
unless ($borrower) {
return $c->$cb({error => "Borrower not found"}, 404);
}
$c->$cb({error => "Borrower not found"}, 404);
return $c->$cb($borrower->unblessed, 200);
}
1;

12
api/v1/swagger.json

@ -31,6 +31,12 @@
"$ref": "#/definitions/borrower"
}
}
},
"403": {
"description": "Access forbidden",
"schema": {
"$ref": "#/definitions/error"
}
}
}
}
@ -55,6 +61,12 @@
"$ref": "#/definitions/borrower"
}
},
"403": {
"description": "Access forbidden",
"schema": {
"$ref": "#/definitions/error"
}
},
"404": {
"description": "Borrower not found",
"schema": {

Loading…
Cancel
Save