Bug 13799: Add cookie-based authentication to REST API

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
8 years ago · b4c6ad6603
3 changed files with 41 additions and 7 deletions
--- a/Koha/REST/V1.pm
+++ b/Koha/REST/V1.pm
@ -3,15 +3,23 @@ package Koha::REST::V1;
 use Modern::Perl;
 use Mojo::Base 'Mojolicious';

+use C4::Auth qw( check_cookie_auth get_session );
+use Koha::Borrowers;
+
 sub startup {
    my $self = shift;

    my $route = $self->routes->under->to(
        cb => sub {
            my $c = shift;
-            my $user = $c->param('user');
-            # Do the authentication stuff here...
-            $c->stash('user', $user);
+
+            my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'));
+            if ($status eq "ok") {
+                my $session = get_session($sessionID);
+                my $user = Koha::Borrowers->find($session->param('number'));
+                $c->stash('koha.user' => $user);
+            }
+
            return 1;
        }
    );
--- a/Koha/REST/V1/Borrowers.pm
+++ b/Koha/REST/V1/Borrowers.pm
@ -4,11 +4,17 @@ use Modern::Perl;

 use Mojo::Base 'Mojolicious::Controller';

+use C4::Auth qw( haspermission );
 use Koha::Borrowers;

 sub list_borrowers {
    my ($c, $args, $cb) = @_;

+    my $user = $c->stash('koha.user');
+    unless ($user && haspermission($user->userid, {borrowers => 1})) {
+        return $c->$cb({error => "You don't have the required permission"}, 403);
+    }
+
    my $borrowers = Koha::Borrowers->search;

    $c->$cb($borrowers->unblessed, 200);
@ -17,13 +23,21 @@ sub list_borrowers {
 sub get_borrower {
    my ($c, $args, $cb) = @_;

-    my $borrower = Koha::Borrowers->find($args->{borrowernumber});
+    my $user = $c->stash('koha.user');

-    if ($borrower) {
-        return $c->$cb($borrower->unblessed, 200);
+    unless ( $user
+        && ( $user->borrowernumber == $args->{borrowernumber}
+            || haspermission($user->userid, {borrowers => 1}) ) )
+    {
+        return $c->$cb({error => "You don't have the required permission"}, 403);
+    }
+
+    my $borrower = Koha::Borrowers->find($args->{borrowernumber});
+    unless ($borrower) {
+        return $c->$cb({error => "Borrower not found"}, 404);
    }

-    $c->$cb({error => "Borrower not found"}, 404);
+    return $c->$cb($borrower->unblessed, 200);
 }

 1;
--- a/api/v1/swagger.json
+++ b/api/v1/swagger.json
@ -31,6 +31,12 @@
                "$ref": "#/definitions/borrower"
              }
            }
+          },
+          "403": {
+            "description": "Access forbidden",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
          }
        }
      }
@ -55,6 +61,12 @@
              "$ref": "#/definitions/borrower"
            }
          },
+          "403": {
+            "description": "Access forbidden",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          },
          "404": {
            "description": "Borrower not found",
            "schema": {