This patch adds tests for the change. It also simplifies the delete()
method structure a bit. It fixes the error 500 the tests were raising.
To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> FAIL: Tests fail!
2. Apply this patch
3. Repeat 1
=> SUCCESS: Tests pass! The new behaviour (code 403) is tested!
4. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch introduces API routes for handling SMTP servers.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fixes the logic in a condition to address the fact that
permissions are not checked for plugins. This was due to bad parenthesis
pairing and the lack of good tests for this.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/PluginRoutes.t
=> FAIL: Tests fail because of bad logic
3. Apply this patch
4. Repeat (2)
=> SUCCESS: Tests pass!
5. Verify the tests cover the use cases that are needed:
- Anonymous access
- Real user with wrong permissions (parameters => 1)
- Real user with right permissions (borrowers => 1)
=> SUCCESS: Needed use cases so we catch any regression are found
6. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Joonas Kylmälä <joonas.kylmala@helsinki.fi>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes the controller not expect that there will always be all
the email fields. So it now checks if an email field was passed, and
changed, and renders the error if that stands.
To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/patrons.t
=> FAIL: Tests written by Nick highlight a problem
2. Apply this patch
3. Repeat 1
=> SUCCESS: Problems solved
4. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
The API was only catching the primary email change case, but we need to
catch email, emailpro and B_email.
We were also not accounting for any of the emails (on PUT or from the
DB) being undefined.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
1. Introduce a typo in swagger.json or another spec json file.
2. Restart plack if used or try to access the REST APIs
3. Without the patch, verify that an incomplete error message and potentially lots of stack trace are logged.
4. With the patch, verify that much more meaningful error messages are logged and stack trace is omitted.
5. Fix the problem introduced in step 1 and verify that no messages are logged, or only warning about bundle is logged with Debian Stretch.
6. Repeat with a REST API plugin.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch implements necesary code to implement non priority feature
To test:
1) Apply all patches.
2) Run updatedatabase.
3) Checkout a specific item for patron1.
4) Place a hold on the same item for patron2 (do not check non priority
hold checkbox).
5) Try to renew the item for patron1.
CHECK => in checkouts table, there is a message that the item could not
be renewed because there was a hold.
6) Cleanup all checkouts and holds.
7) repeat steps 3 to 5, but this time check the non priority checkbox.
SUCCESS => item was renewed
8) prove t/db_dependent/Holds.t
Signed-off-by: Lisette Scheer <lisettes@latahlibrary.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
rel_file returns the path anyway
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
By default, JSON::Validator::OpenAPI tries to fetch the
swagger v2 schema from http://swagger.io/v2/schema.json.
If you've installed from CPAN, JSON::Validator::OpenAPI will
come with a cached copy, so it won't try to fetch it over HTTP.
However, if you've installed from libjson-validator-perl
from Debian/Ubuntu, the Debian package excludes the cached copy,
so JSON::Validator::OpenAPI tries to fetch it over HTTP.
Unfortunately, today and other days in the past, the file at
http://swagger.io/v2/schema.json has been unavailable, and this causes
Koha to crash in a perpetual loop.
This patch includes a copy of the swagger v2 schema, and it loads
it locally rather than fetching over HTTP.
The changes to Koha/REST/Plugin/PluginRoutes.pm are not required,
since the validator isn't currently called there, but I've added
a patch to future proof it.
To Test:
0a) Remove /usr/share/perl5/JSON/Validator/cache/36d1bd12eeed51e86c8695bd8876a9df
if it exists
0b) Block external access to http://swagger.io/v2/schema.json or
test during an outage when it's unavailable
0c) Do not apply patch
1) koha-plack --restart kohadev
2) Note that it crashes in a loop and is unavailable in web browser
3) Apply patch
4) koha-plack --restart kohadev
5) Note that Koha comes up and there are no errors in the Plack logs
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch fixes the behaviour for the POST /holds route. It assumed
maxreserves was checked in CanItemBeReserved which is not the case.
Tests are added to check for this behaviour.
To test:
1. Apply the regression tests
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/holds.t
=> FAIL: Tests fail!
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch introduces handling for per_page=-1 and actually adds a
missing feature to the API: being able to request all resources on a
route.
To test this:
1. Visit the libraries admin page
2. On the table, choose to display 'All' rows
=> FAIL: it doesn't refresh, the browser console displays a 500 error
code and so the logs
3. Apply the tests patches
4. Run:
$ kshell
k$ prove t/Koha/REST/Plugin/Pagination.t \
t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Tests fail loudly
5. Apply this patch
6. Restart plack
7. Repeat 2
=> SUCCESS: choosing to display all, works
8. Repeat 4
=> SUCCESS: Tests pass now!
9. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch adds a checkbox to make holds created by club hold to default to patron's home branch if possible.
To test:
1. Apply this patch
2. Create a club, and add two patrons (from now on called patron A and patron B) to it, each one form a different library..
3. Create a hold for the club, and in the details set pickup location different from any of the patrons.
4. Check "Pickup at patron's home library when possible" checkbox
SUCCESS => when submitted, pickup location of holds defaults to patron's home branch
5. Modify patron A's library and set pickup location to no.
6. Repeat steps 3 and 4.
SUCCESS => when submitted, patron A's hold now points to pickup location setted on step 3, and patron B's hold still points to his home branch.
7. Sign off
Sponsored-by: Southeast Kansas Library - SEKLS
Signed-off-by: Jason Robb <jrobb@sekls.org>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
t/db_dependent/api/v1/illrequests.t .. Use of uninitialized value $hidden_statuses_string in split at /kohadevbox/koha/Koha/REST/V1/Illrequests.pm line 61.
Use of uninitialized value $hidden_statuses_string in split at /kohadevbox/koha/Koha/REST/V1/Illrequests.pm line 61.
Use of uninitialized value $hidden_statuses_string in split at /kohadevbox/koha/Koha/REST/V1/Illrequests.pm line 61.
Use of uninitialized value $hidden_statuses_string in split at /kohadevbox/koha/Koha/REST/V1/Illrequests.pm line 61.
Use of uninitialized value $hidden_statuses_string in split at /kohadevbox/koha/Koha/REST/V1/Illrequests.pm line 61.
t/db_dependent/api/v1/illrequests.t .. ok
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Currently, the main table of ILL requests will display all ILL
requests in the database, regardless of their status. For libraries
with active ILL this quickly leads to a lot of requests being displayed,
and the main page of the ILL module taking a long time to load. This
patch proposes to fix this by introducing the ILLHiddenRequestStatuses
syspref, which can take a pipe-separated list of ILL statuses that
will be hidden from view in the ILL module. This means that the
only way to find a hidden request will be through a report.
To test:
- Apply the patch and make sure the atomic database update is run
- Make sure you have a few ILL requests, with at least two different
statuses
- Check that all requests are still displayed in the main table of
ILL requests
- Add one of the statuses* you have in your database to the
ILLHiddenRequestStatuses syspref, reload the ILL module frontpage
and verify that requests with the given status are not displayed
- Change the syspref to another status and verify requests with
that status are now hidden
- Change the syspref to hold both statuses, separated by the pipe
symbol (e.g.: A|B). Verify that no requests with the given
statuses are now displayed
- Run the ILL REST API tests, e.g.:
$ sudo koha-shell -c "prove t/db_dependent/api/v1/illrequests.t" kohadev
* = The ILLHiddenRequestStatuses syspref should hold status codes, like
"REQ" and "NEW", not their human readable counterparts.
Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes the helper paginate the resultsif no pagination
parameters are passed.
Page number defaults to 1, and the page size to the RESTdefaultPageSize
syspref value.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/Objects.t
=> FAIL: Pagination is not enforced by default
3. Apply this patch
4. Repeat 2
=> SUCCESS: Results are paginated
5. Sign off :-D
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
We must utf8 encode the string before json decoding it.
Test plan:
Use "❤" and play with the library search (bug 25288) and Postman to
generate queries using it.
This patch prevents 500:
[2020/06/16 14:11:37] [ERROR] GET /api/v1/libraries: unhandled exception (Mojo::Exception)<<Wide character in subroutine entry at /kohadevbox/koha/Koha/REST/Plugin/Objects.pm line 107.>> Koha::REST::Plugin::Exceptions::__ANON__ /kohadevbox/koha/Koha/REST/Plugin/Exceptions.pm (73)
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes the API set more userenv params than just the
borrowernumber. To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_*
=> SUCCESS: All tests pass
3. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch makes the authentication step stash the user that got
authenticated so code outside the Mojo part of Koha can use it (i.e.
through the use of C4::Context->userenv).
To test:
1. Apply the regression tests
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t \
t/db_dependent/api/v1/auth_basic.t
=> FAIL: Tests fail!
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch implements the required logic in the API code so plugins are
not affected by the new RESTPublicAnonymousRequests system preference.
It is up to the plugin develpers to handle this
To test:
1. Apply the tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/PluginRoutes.t
=> FAIL: Notice the tests fail
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass! Yay! Not bad for a friday evening!
5. Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The original development started before the changes we introduced in the guidelines in late 2019, and the major code changes that took place in January 2020.
- Attribute mapping logic is now on the Koha::Object-level (the patches implement that, but are not using it)
- Related to the above, some helper methods like to_api and to_model are kept, the same for the mappings in the controller, they should all go away
- Related to the above, set_from_api and new_from_api should be used instead of using helper to_api and to_model methods in the controller
- $c->objects->search doesn't use the to_model and to_api params
- Response status codes need to be changed, at least for DELETE operations
Those are fixed by this patch.
To test:
1. Apply this patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/advanced_editor_macros.t
=> SUCCESS: Tests pass!
3. Sign off :-D
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test:
1. Edit the Koha/REST/V1/Cities.pm 'list' method adding
die("Nada"); before the render step.
2. Restart plack and try the endpoint
=> SUCCESS: The message is generic, but you see something is
logged in /var/log/koha/kohadev/api-error.log
3. Change die("Nada"); for a real exception like:
use Koha::Exceptions;
Koha::Exceptions::DuplicateObject->throw("Nada");
4. Repeat 2.
=> SUCCESS: The message is generic, but a meaningful text is added to
the logs.
5. Point your browser to the /api/v1/hola route from your dev
environment
=> FAIL: Wow, such a weird error
6. Apply this patch
7. Restart plack and repeat 2, 3 and 4
=> SUCCESS: No behaviour change
8. Repeat 5
=> SUCCESS: The regular Mojolicious 404 weird page
9. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The original code for Koha::REST::V1::Auth::under called
authenticate_api_request when requesting the API spec. This didn't make
sense, and recent changes on what conditions are tested for public
routes, broke the route.
We could add another condition, but it really doesn't make sense to call
authenticate_api_request if it should be publicly available in any
configuration, as discussed on the bug.
This patch adds a trivial check and the requested route, and lets the
request through in any case in 'under'.
To test:
1. Point your browser to:
http://kohadev.myDNSname.org:8080/api/v1/http://kohadev.myDNSname.org:8080/api/v1/.html
=> FAIL: In both cases you get an authorization error.
2. Apply the regression tests patch
3. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth.t
=> FAIL: The tests reflect the situation, and fail
4. Apply this patch
5. Repeat 1 and 3
=> SUCCESS: All good!
6. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
To test:
1 - Enable AdvancedCatalogingEditor
2 - Add some macros (they don't need to be valid, just have content)
3 - Apply patches
4 - updatedatabase
5 - Set user to have 'create_shared_macros' and 'delete_shared_macros'
6 - Load the advanced editor (Cataloging->Advanced editor)
7 - Click on 'Macros'
8 - Previous macros should not show, but you should have a 'Convert' button
9 - Convert old macros and confirm they show
10 - Edit the macros, changing content and the public checkbox, confirm 'Saved' shows in the top right of editor when updating
11 - Have at least on valid macro and run it, e.g.:
new 100=Testing this out
12 - Run the macro, confirm it runs
13 - Try a macro with gibberish, confirm there is an error when running
14 - Ensure you have a few macros marked public
15 - In a private browser window sign in as a patron with neither shared macro permission
16 - Confirm the public macros load, but cannot be edited
17 - Grant create_shared_macros permission to this patron
18 - Reload editor, they should now be able to edit shared macros
19 - Confirm they cannot delete shared macros
20 - Grant delete_shared_macros permission
21 - Reload editor
22 - Confirm they can now delete shared macros
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Heather Hernandez <Heather_Hernandez@nps.gov>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch makes the route support requesting (through the Accept
header) the MARC record to be output as formatted text as in
$record->as_formatted.
To test:
1. Apply the unit tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/biblios.t
=> FAIL: Tests fail
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Try the route with your favourite API testing tool (Postman?)
=> SUCCESS: Accept: text/plain returns the expected results
=> SUCCESS: Wrong Accept header returns a list of valid formats, and
includes 'text/plain'.
6. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adapts the spec and the controllers so existing routes return
204 and an empty response body when a successful deletion happens.
Right now we have a coding guideline but haven't adapted the existing
routes.
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/*.t
=> FAIL: Some tests fail
3. Apply this patch
4. Repeat 2.
=> SUCCESS: Tests pass!
5. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
If we catch a Koha::Exception-derived exception, the log is put in a
single line. If the code 'dies' then a newline character is appended to
the string. This patch chomps it so it displays in a single line.
To test:
1. Tweak Koha::REST::V1::Cities::list in the try block so it dies before
render
2. Restart plack and try the original test plan
=> FAIL: Notice two lines are logged
3. Apply this patch
4. Repeat 2
=> SUCCESS: Only one line in the logs
5. Verify rendering a Koha::Exception works as well:
Koha::Exceptions::Exception->throw("Nada!");
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This simple patch removes 'just in case' handling of specific exceptions
and makes the current routes controllers use the unhandled_exception helper.
Most possible exceptions are already catch by our tools (Koha::Object,
etc) and the existing code is not looking for known possible exceptions
but has just been copied and pasted since our beginings.
Anytime a situation in which an unhandled exception is caught, we (the
devs) should report it and specific exception handling discussed and
solved. But this has just been useless scaffolding so far.
To test:
1. Run:
$ kshell
k$ prove t/db_dependent/api/v1/*.t
=> SUCCESS: Tests pass
2. Apply this patch
3. Repeat 1.
=> SUCCESS: Tests still pass
4. Sign off :-D
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds Koha::Logger as the default logger for the API, and
introduces a new helper plugin that takes care of handling the unhandled
exceptions. Basically, with this we would write something like this in
our controller methods:
try {
...
}
catch {
if ( know_exception ) {
handle_known_exception($_);
}
$c->unhandled_exception($_);
}
Without this, we end up adding more and more handling 'just in case'.
To test:
1. Edit the Koha/REST/V1/Cities.pm 'list' method adding
die("Nada"); before the render step.
2. Restart plack and try the endpoint
=> FAIL: A generic error is displayed, and no traces of the original
problem are found on the logs.
3. Apply this patches, make sure your instance's log4perl has the
introduced lines for API with the right path.
4. Repeat 2
=> SUCCESS: The message is still generic, but you see something is
logged in /var/log/koha/kohadev/api-error.log
5. Change die("Nada"); for a real exception like:
use Koha::Exceptions;
Koha::Exceptions::DuplicateObject->throw("Nada");
6. Repeat 2.
=> SUCCESS: The message is generic, but a meaningful text is added to
the logs.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch introduces a check on the authenticate_api_request method for
the RESTPublicAnonymousRequests system preference. If disabled,
anonymous requests get rejected.
The idea is to replicate the homologous OpacPublic system preference
behaviour.
To test:
1. Apply the Unit tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail, 200 is answered instead of 401 on the route.
3. Apply this patch
4. Repeat 2.
=> SUCCESS: Tests pass!
5. Sign off :-D
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds a route to get bibliographic records without privileged
access. This needs to match the OPAC expected behaviour.
Some things were considered on the implementation:
- The ViewPolicy filter that hides/shows things based on the frameworks
needded to be used, as in the OPAC.
- OpacHiddenItems and OpacHiddenItemsExceptions need to be considered
for hiding records the same way the OPAC is expected to.
- Avoid using OpacHiddenItemsExceptions, but rely on the patron category
instead (use Koha::Patron::Category->override_hidden_items abstraction
is used instead so it should keep working once 22547 is moved
forward).
- Tests should cover all the use cases:
* logged in user
* anonymous user
* logged in with category that overrides
* logged in with category that doesn't override
This is all implemented on the tests.
To test:
1. Apply the tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/biblios.t
=> FAIL: Route not implemented
3. Apply the rest of the patches
4. Repeat 2
=> SUCCESS: Tests pass!
5. Try it with your favourite API tool (Postman?)
6. Sign off :-D
Note: please notice there isn't a default fallback behaviour for when
you don't specify the Accept header, so testing this on a regular
browser will just print the accepted mime types instead of the record
itself.
To test this with a tool (like Postman) you should enable
RESTBasicAuthe and make the tool use Basic authentication with valid
credentials. And you need to specify any of the following strings on the
Accept header:
- application/marcxml+xml
- application/marc-in-json
- application/marc
- text/plain
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This follow-up patch moves the check outside the register routine. The
Mojo plugin won't be loaded unless there's no need to install.
As the original tests rely on V1.pm to be able to load the plugin, they
are still valid, and they should still pass as there's no behaviour
change.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch adds a check on Koha being actually installed to the
PluginRoutes Mojolicious plugin.
If Koha is not installed, plugin routes won't be tried to get installed.
This has the effect of making the webinstaller functional again (when
enable_plugins is set to 1).
To test:
1. Apply the regression tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/REST/Plugin/PluginRoutes.t
=> FAIL: Tests fail!
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Reset your working branch
6. Delete your database (e.g. in koha-testing-docker):
$ mysql -hdb -ppassword
> DROP DATABASE koha_kohadev;
> CREATE DATABASE koha_kohadev; \q
7. Set enable_plugins to 1 in koha-conf.xml
8. Restart all:
$ service memcached restart
$ koha-plack --restart kohadev
9. Open the staff interface
=> FAIL: Hangs, the logs show nasty errors (koha-plack-err)
10. Apply this patches
11. Restart all
12. Repeat 10
=> SUCCESS: The web installer shows up :-D
13. Sign off :-D
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch changes the spec loading so that it is fully loaded and merged with any plugin routes before validation. The individual parts are separately validated only if the resulting complete spec is invalid. Note: the OpenAPI plugin validates the spec given to it, so normally no manual validation is necessary.
Test plan:
1. prove -v t/db_dependent/Koha/REST/*
2. prove -v t/db_dependent/api/v1/*
Sponsored-by: The National Library of Finland
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Owen Leonard 2018-03-16 10:47:47 UTC :
<<
I don't think the system preference adds any security. There are already multiple permissions required for working with plugins:
- Configure plugins
- Manage plugins ( install / uninstall )
- Use report plugins
- Use tool plugins
And even with those permissions your server must be configured to allow the use of plugins.
>>
Test plan :
1) Install kitchen sink plugin https://github.com/bywatersolutions/koha-plugin-kitchen-sink
2) Run misc/devel/install_plugins.pl
3) Set config enable_plugins=1
4) Check all parts of the plugin are working
5) Set config enable_plugins=0
6) Check all parts of the plugin are disabled
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
When a child of a prefetched element wasn't found on element's
prefetch_whitelist, no prefetch element was returned.. including element
it self. Now we return element's name if no child was found.
Also, embeded keys that ended with +count where taken literaly. Now we
search the correct key by stripping _count of embedded element if it was
declared as "is_count"
To test:
1. Apply test patch but not this one
2. prove t/Koha/REST/Plugin/Query.t
CHECK => tests shoul fail
3. Apply this patch
4. prove t/Koha/REST/Plugin/Query.t
SUCCESS => tests pass
5. Sign off
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch introduces code to detect (cookie) annonymous sessions and
act as expected.
Right now, as check_cookie_auth is not passed the required permissions
(because there aren't always required permissions, and the code to check
permissions is shared with other authentication mechanisms) it returns
'ok' and the session id. This use case was overlooked when this was
coded, and yeilds unexpected error codes (500) when the user logs out
and the annonymous session cookie is used to hit the API. The end result
doesn't pose any security issue (i.e. the resource access is rejected)
but the returned error code is not correct and should be fixed.
This patch verifies for an anonymous session (and avoids querying the
corresponding patron) and then verifies if there is an authorization
config on the route and if the patron object is defined.
To test:
1. Apply the tests patch
2. Run:
$ kshell
k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail, 500 instead of the expected 401
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
5. Repeat the original 'steps to reproduce' from the bug report using
the browser
=> SUCCESS: Problem solved!
6. Sign off :-D
Sponsored-by: ByWater Solutions
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Looks like at some point during reworking/rebasing the signature for
Koha::Account::Line->apply changed and was then reverted but one case of
the reversion got lost.
The error was highlighted in the patrons_accounts credit api tests.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Rebasing was a nightmare, so I'm squashing the sign off follow-ups to
ease the pain with any future rebases
Includes:
Bug 23051: (follow-up) Refactor renewal code
As per Nick's first point in comment #20, the code that tests for
renewability and renews items has been refactored into it's own
function.
Bug 23051: (follow-up) Provide feedback
For renewals that fail when a fine is being paid off, this patch causes
any errors to be passed back to the template for display.
Addresses the second point in Nick's comment #20
Bug 23051: (follow-up) Fix unit tests
As raised by Nick in comment #35
Bug 23051: (follow-up) Fix/improve feedback
This follow up patch addresses the following parts of Nick's feedback in
comment #35:
- it would be nice to get feedback on what was successfully renewed as well
- In general I think I would prefer to see 'ok' and 'not_ok' returned as
a single 'renewal_results' array
- There is no listing of errors if I use the 'pay' button on an
individual fine
Bug 23051: (follow-up) Refactor methods
This follow up patch addresses the following parts of Nick's feedback in
comment #35:
- I don't really like that the functions are internal functions and then
exported
- I think the pref description should highlight that if 'RenewalPeriodBase'
is set to due date, there may be doubled charges
Bug 23051: (follow-up) Add SIP summary
This follow up patch addresses the following parts of Nick's feedback in
comment #35:
- Ideally SIP would get feedback in a screen message
Bug 23051: (follow-up) Renewing in OPAC
This follow up patch addresses the following parts of Nick's feedback in
comment #35:
- I am also not sure about the code path if a patron paid fines on the
opac (via paypal etc.) but renewals are not allowed on the opac.
We've introduced the syspref RenewAccruingItemInOpac (default is off)
which, when enabled, will cause items attached to fines that are paid
off in the OPAC (via payment plugins), to be automatically renewed.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Andrew Isherwood <andrew.isherwood@ptfs-europe.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Ere Maijala
Agustin Moyano
Magnus Enger
Andrew Isherwood
