Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
So far the administration module only allowed for 2 permissions:
- circulation conditions (manage_circ_rules)
- everything else (parameters_remaining_permissions)
With this patch almost every section of the administration page
will have its own granular permission.
To test:
- Create different staff users:
1) One with parameters_remaining_permissions
2) One with parameters
3) One with catalogue and no parameters
4) One superlibrarian
- Apply the patch
- Run the database update
- Check the staff users:
1) All subpermissions, but manage_circ_rules
should be checked
2) Nothing should have changed
3) manage_item_serach_fields shoudl be checked
(page had catalogue permission before)
4) Nothing should have changed
- Try different settings of the permissions and
verify that
- Administration page behaves correctly
- Administration menu behaves correctly
! You shoudl only see what you have permission for
https://bugs.koha-community.org/show_bug.cgi?id=14391
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Barry Cannon <bc@interleaf.ie>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
This patch makes the tests for 'authorized' session use the
'stockrotation' permission instead of 'superlibrarian'.
The path x-koha-permission is fixed accordingly.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The stock rotation feature adds a batch process to automate rotation of
catalgue items with a staff client page under tools to manage rotas/schedules.
Once a rota is configured, and your staff user has the right permissions
to allocate items, then an additional tab will appear on biblio records
allowing the management of of which rota, if any, individual items belong to.
It also includes a cron script to process the items on a daily basis.
Signed-off-by: Kathleen Milne <kathleen.milne@cne-siar.gov.uk>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: I removed a temporary file
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch splits the balance to match this object schema:
{
balance => #,
outstanding_credits => {
total => #,
lines => [ credit_line_1, ..., credit_line_n ]
},
outstanding_debits => {
total => #,
lines => [ debit_line_1, ..., debit_line_m ]
}
}
This change is made to ease usage from the UI. Also because the
outstanding credits need to be applied to outstanding debits in order to
the balance value to make sense. So we still need to have each total.
Tests are added for this change, and the schema files are adjusted as
well.
To test:
- Apply this patch
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons_accounts.t
=> SUCCESS: Tests pass!
- Sign off :-D
staff_id is changed into user_id as voted on the dev meeting the RFC got
approved.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds the OpenAPI spec for the following paths:
- /patrons/{patron_id}/account
It also adds object definitions for:
- balance
- account line
Account line is to be used on both /account/lines (when implemented)
and for embeding the outstanding lines in the balance endpoint
(/patrons/{patron_id}/account).
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
It implements only the "client credentials" flow with no scopes
support. API clients are tied to an existing patron and have the same
permissions as the patron they are tied to.
API Clients are defined in $KOHA_CONF.
Test plan:
0. Install Net::OAuth2::AuthorizationServer 0.16
1. In $KOHA_CONF, add an <api_client> element under <config>:
<api_client>
<client_id>$CLIENT_ID</client_id>
<client_secret>$CLIENT_SECRET</client_secret>
<patron_id>X</patron_id> <!-- X is an existing borrowernumber -->
</api_client>
2. Apply patch, run updatedatabase.pl and reload starman
3. Install Firefox extension RESTer [1]
4. In RESTer, go to "Authorization" tab and create a new OAuth2
configuration:
- OAuth flow: Client credentials
- Access Token Request Method: POST
- Access Token Request Endpoint: http://$KOHA_URL/api/v1/oauth/token
- Access Token Request Client Authentication: Credentials in request
body
- Client ID: $CLIENT_ID
- Client Secret: $CLIENT_SECRET
5. Click on the newly created configuration to generate a new token
(which will be valid only for an hour)
6. In RESTer, set HTTP method to GET and url to
http://$KOHA_URL/api/v1/patrons then click on SEND
If patron X has permission 'borrowers', it should return 200 OK
with the list of patrons
Otherwise it should return 403 with the list of required permissions
(Please test both cases)
7. Wait an hour (or run the following SQL query:
UPDATE oauth_access_tokens SET expires = 0) and repeat step 6.
You should have a 403 Forbidden status, and the token must have been
removed from the database.
8. Create a bunch of tokens using RESTer, make some of them expires
using the previous SQL query, and run the following command:
misc/cronjobs/cleanup_database.pl --oauth-tokens
Verify that expired tokens were removed, and that the others are
still there
9. prove t/db_dependent/api/v1/oauth.t
[1] https://addons.mozilla.org/en-US/firefox/addon/rester/
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch introduces two functions to the patrons endpoint:
- _to_api
- _to_model
This are in charge of field mappings in order to comply with the
guidelines.
Koha::REST::V1:Auth is adjusted to handle 'patron_id' as well. 'borrowernumber'
handling is kept until the existing endpoints get updated.
To test:
- Apply the patches
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/*.t
=> SUCCESS: Tests pass!
- Sign off :-D
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch removes the $ref occurences for borrowernumber in not
patron-specific endpoints. 'borrowernumber' is still used on them, but as a
hardcoded parameter. The param rename will happen on a separate bug for
each endpoint.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch refactors the original work so it implements the controllers
and the spec using Mojolicious::Plugin::OpenAPI, and OpenAPI for the specification.
It removes the ability for patrons without permissions to edit their own data or their
guarantee's. This will be moved to a patron modification requests endpoint for simplicity.
It makes use of bugs 19410 and 19686 and their dependencies to deal with parameters handling,
query building and pagination.
Tests are adapted.
To test:
- Apply this patches and the dependencies
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
- Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds support for add, edit and delete patrons via REST API.
GET /api/v1/patrons Get patron list from params
GET /api/v1/patrons/<borrowernumber> Get single patron
POST /api/v1/patrons Create a new patron
PUT /api/v1/patrons/<borrowernumber> Update data about patron
DEL /api/v1/patrons/<borrowernumber> Delete a patron
Revised Test plan:
1) Apply this patch
2) Run tests perl t/db_dependent/api/v1/patrons.t
3) Add a user with proper rights to use the REST API
4) play with your favourite REST client (curl/httpie, etc.):
Authenticate with the user created above and get a CGISESSION id.
Use the CGISESSION to add, edit and delete patrons via the API.
5) Use PUT /patrons/<borrowernumber> for a patron without borrowers
flag. This should go into pending patron modification status and
needs to be accepted by a librarian.
Please note there is no validation of body input in PUT/POST other
than branchcode,category,userid,cardnumber.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch implements the changes required by the cities endpoint RFC
[1].
It uses the objects.search helper, and relies on bug 19686.
To test:
- Apply the patches
- Compare the spec with the RFC (api/v1/swagger/definitions/city.json)
=> SUCCESS: It makes sense
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/cities.t
=> Tests pass!
- Sign off :-D
Signed-off-by: Claire Gravely <claire.gravely@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Fields 'address' and 'city' have been maybe nullable by this bug. This
patch makes them nullable on the API as well.
To test:
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> FAIL: Tests fail (randomly) when address or city are set to null by
TestBuilder.
- Apply this patch
- Run:
k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
- Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There is something wrond here, the userenv is no set and so we cannot
user search_limited.
Should we set the userenv or filter on the libraries using
libraries_where_can_see_patrons?
WAITING FOR FEEDBACK HERE.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1/ Use your usual "REST testing" tool to place a title-level hold with
an itemtype. The request should look like this:
POST /api/v1/holds
{
"borrowernumber": 1234,
"biblionumber": 456,
"branchcode": "CPL",
"itemtype": "A"
}
2/ Check that the hold was placed and the itemtype is correctly selected
3/ prove t/db_dependent/api/v1/holds.t
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch re-adds some parameters I left out during some rebasing tasks
and ended up on a separate patchset (bug 18731).
The introduced parameters definitions are only used on endpoint definitions
that implement (at least) pagination. No need to test them here but easier
adding them here than on a patch implementing a new enpoint, which would become
a dependency for other endpoints.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch moves the current endpoint implementation from Swagger2 to
the OpenAPI plugin.
It also takes advantage of the overloaded Koha::Illrequest::TO_JSON method
which has now the option to embed what's needed for the REST api.
The path spec is adjusted to fit OpenAPI, and some minor fixes are
applied:
- Missing 'metadata' query param
- 'ill' permissions should be required instead of 'borrowers'
- Full test coverage
To test:
- Apply this patch
- Run:
$ kshell
k$ prove t/db_dependent/api/v1/illrequests.t
=> SUCCESS: Tests pass!
- Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This Commit is at the heart of adding an interlibrary loans framework
for Koha. The framework does not prescribe a particular workflow.
Instead it provides a general framework that can be extended &
implemented by individual backends whose responsibility it is to
implement a specific workflow.
The module is largely self-sufficient: it adds new tables to the Koha
database and touches only a few files in the Koha source tree.
Primarily, we add our files to the Makefile and the koha-conf.xml,
define ill paths for the REST API, and introduce links from the main
intranet, opac pages & user permissions.
Outside of this we simply add new files & functionality.
Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Trying to clarify some of the descriptions.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch introduces an /acquisitions/vendors endpoint.
To test:
- Apply the patch
- Run:
$ sudo koha-shell kohadev
k$ prove t/db_dependent/api/v1/acquisitions_vendors.t
=> SUCCESS: Tests pass
- Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Matthias Meusburger <matthias.meusburger@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
operationId has the following documentation:
"Unique string used to identify the operation. The id MUST be unique among all
operations described in the API."
This patch modifies operationIds to be unique accross our API operations.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Before this file grows, we should sort it alphabetically.
To test:
1. prove t/db_dependent/api/v1
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Mojolicious::Plugin::OpenAPI does not support x-mojo-around action. This patch
removes it from our specification document.
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Also
- adding some missing and new response definitions into Swagger spec.
- fixing failing tests due to Bug 17932's change of boolean values
To test:
1. prove t/db_dependent/api/v1/holds.t
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Also:
- adding some missing and new response definitions into Swagger spec.
To test:
1. prove t/db_dependent/api/v1/cities.t
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Also:
- adding some missing and new response definitions into Swagger spec.
- fixing failing test due to Bug 17932's change of boolean values
To test:
1. prove t/db_dependent/api/v1/patrons.t
Signed-off-by: Olli-Antti Kivilahti <olli-antti.kivilahti@jns.fi>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
prove api/v1/swagger/definitions/patron.json
must return green
Signed-off-by: Lee Jamison <ldjamison@marywood.edu>
swagger/definitions.t test returns green
Recently, there's been a major fix on the REST api swagger spec,
which involved fixing boolean values so they are actually booleans
and Koha::Object was extended to handle that.
While the swagger spec for this endpoint got fixed, such is not the case
with the implementation (the controller class).
This patch fixes this situation by:
- Specifying boolean properties as boolean in the schema file
- Fixes the controller so it returns Koha::Hold objects instead of the
hashref returned by GetReserve, which is wrong.
- Better (than empty) descriptions are added to 'suspend',
'suspend_until' and 'lowestPriority' on the spec.
To test:
- Run:
$ sudo koha-shell kohadev
k$ cd kohaclone
k$ prove t/db_dependent/api/v1/holds.t
=> FAIL: Tests fail, mostly due to error 500 results.
- Apply this patch
- Run:
k$ prove t/db_dependent/api/v1/holds.t
=> SUCCESS: Tests pass!
- Sign off :-D
This can also be tested using any interface for REST apis.
Note: This endpoint lacks several of the new guidelines and is not
complete (there's no GET for single holds, etc). It is also missing
exception handling. There are probably
other bug reports for that, just thought it was worth mentioning.
Followed test plan and this patch worked as intended
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch changes current Swagger definitions for patrons and holds to have
data types corresponding to column data types in their database tables.
To test:
1. GET http://yourlibrary/api/v1/patrons/YYY where YYY is existing borrowernumber
2. Observe that numbers / integers are in string data type.
3. Apply this patch
4. Repeat step 1.
5. Observe that numbers / integers are now actually numbers / integers.
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Routes for holds have tags called "borrowers". We should use "patrons" instead
in order not to have both (endpoints for patrons already add "patrons").
This patch changes the tags from borrowers to patrons in:
GET /holds
POST /holds
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The swagger file does not consider borrowers.updated_on as a nullable
value, it should
Test plan:
0/ Do not apply this patch
1/ update borrowers set updated_on=null;
2/ prove t/db_dependent/api/v1/patrons.t
=> Fail
3/ Apply this patch
4/ prove t/db_dependent/api/v1/patrons.t
=> green
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch makes the patron swagger definition match the DB schema.
To test:
- Run:
$ prove t/db_dependent/api/v1/swagger/definitions.t
=> FAIL: 'lastseen' field is not declared in the swagger definition
- Apply the patch
- Run:
$ prove t/db_dependent/api/v1/swagger/definitions.t
=> SUCCESS: Tests pass!
- Sigh off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Hector Castro <hector.hecaxmmx@gmail.com>
All tests pass successfuly
Signed-off-by: Lari Taskula <lari.taskula@jns.fi>
Fixed a typo: seed -> seen
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This followup alters a few area's to be aligned more closely with
RESTfull best practices:
* PUT should always be full objects, and not partial updates (use PATCH
for partials)
* Validate query parameters instead of blindly passing them to the model
* Functional Change: Convert filter params from 'equality' to 'starts with'
matching
* Update tests to check for swagger validation errors instead of koha exceptions
* Mark 'id' as readOnly so swagger may prevent, via validation, id
changes.
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This patch adds the swagger definitions for the /cities endpoint
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
The swagger specification file is currently being minified adding
manual steps to release management and restful api route development.
The minification is not required; The deferenced version of the
specification is now internally validated at runtime and relavant errors
output and the dereferenced schema has been made publically available at
/api/v1/spec, so it can be copy&pasted into validation tools
Test Plan
1) Apply patch
2) Ensure api routes still function (applying the /cities patch might be
helpful)
3) Ensure /api/v1/spec page exists (it should be the de-referenced
swagger.json file)
Signed-off-by: Claire Gravely <claire_gravely@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
To test:
1. Run t/db_dependent/api/v1/holds.t
2. Run t/db_dependent/api/v1/patrons.t
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Define 'x-koha-permission' for the Swagger2 Operation Object, to automatically
authorize against the required permissions.
This way we immediately tell the API consumer in the Swagger2-definition, which
permissions are needed to access defined resources.
Also we don't need to maintain permissions in multiple locations and we can build
a smart testing framework to help a lot in creating tests for the new REST API.
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
