Koha/t/db_dependent/api/v1/article_requests.t
Tomas Cohen Arazi 9c4a1b19aa Bug 27947: (QA follow-up) Clarify permissions
Privileged routes need permissions defined. This patch adds the minimum
required permission until there are article request-specific permissions
in Koha: circulate: circulate_remaining_permissions

It is also clarified that interacting with an article request  from
another patron, but having your own patron_id in the path would return
404 instead of 403, as technically the resource (an article request from
the patron, identified.by the supplied id) doesn't exist.

Tests are tweaked.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2021-10-06 10:09:25 +02:00

155 lines
5.1 KiB
Perl
Executable file

#!/usr/bin/env perl
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <http://www.gnu.org/licenses>.
use Modern::Perl;
use Test::More tests => 2;
use Test::Mojo;
use t::lib::Mocks;
use t::lib::TestBuilder;
use Koha::Database;
my $schema = Koha::Database->new->schema;
my $builder = t::lib::TestBuilder->new;
my $t = Test::Mojo->new('Koha::REST::V1');
t::lib::Mocks::mock_preference( 'RESTBasicAuth', 1 );
subtest 'cancel() tests' => sub {
plan tests => 8;
$schema->storage->txn_begin;
my $authorized_patron = $builder->build_object(
{
class => 'Koha::Patrons',
value => { flags => 2 ** 1 } # circulate flag = 1
}
);
my $password = 'thePassword123';
$authorized_patron->set_password(
{ password => $password, skip_validation => 1 } );
my $userid = $authorized_patron->userid;
my $deleted_article_request =
$builder->build_object( { class => 'Koha::ArticleRequests' } );
my $deleted_article_request_id = $deleted_article_request->id;
$deleted_article_request->delete;
$t->delete_ok(
"//$userid:$password@/api/v1/article_requests/$deleted_article_request_id"
)->status_is(404)->json_is( { error => "Article request not found" } );
my $article_request =
$builder->build_object( { class => 'Koha::ArticleRequests' } );
my $reason = 'A reason';
my $notes = 'Some notes';
$t->delete_ok( "//$userid:$password@/api/v1/article_requests/"
. $article_request->id
. "?cancellation_reason=$reason&notes=$notes" )
->status_is( 204, 'SWAGGER3.2.4' )->content_is( q{}, 'SWAGGER3.2.4' );
# refresh object
$article_request->discard_changes;
is( $article_request->cancellation_reason,
$reason, 'Reason stored correctly' );
is( $article_request->notes, $notes, 'Notes stored correctly' );
$schema->storage->txn_rollback;
};
subtest 'patron_cancel() tests' => sub {
plan tests => 14;
t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 );
t::lib::Mocks::mock_preference( 'RESTBasicAuth', 1 );
$schema->storage->txn_begin;
my $patron = $builder->build_object(
{
class => 'Koha::Patrons',
value => { flags => 0 }
}
);
my $password = 'thePassword123';
$patron->set_password( { password => $password, skip_validation => 1 } );
my $userid = $patron->userid;
my $patron_id = $patron->borrowernumber;
my $deleted_article_request = $builder->build_object( { class => 'Koha::ArticleRequests', value => { borrowernumber => $patron_id } } );
my $deleted_article_request_id = $deleted_article_request->id;
$deleted_article_request->delete;
# delete non existent article request
$t->delete_ok("//$userid:$password@/api/v1/public/patrons/$patron_id/article_requests/$deleted_article_request_id")
->status_is(404)
->json_is( { error => "Article request not found" } );
my $another_patron = $builder->build_object({ class => 'Koha::Patrons' });
my $another_patron_id = $another_patron->id;
my $article_request_2 = $builder->build_object({ class => 'Koha::ArticleRequests', value => { borrowernumber => $another_patron_id } });
# delete another patron's request
$t->delete_ok("//$userid:$password@/api/v1/public/patrons/$another_patron_id/article_requests/" . $article_request_2->id)
->status_is(403)
->json_is( '/error' => 'Authorization failure. Missing required permission(s).' );
my $another_article_request = $builder->build_object(
{
class => 'Koha::ArticleRequests',
value => { borrowernumber => $another_patron->id }
}
);
$t->delete_ok("//$userid:$password@/api/v1/public/patrons/$patron_id/article_requests/" . $another_article_request->id)
->status_is(404)
->json_is( { error => 'Article request not found' } );
my $article_request = $builder->build_object(
{
class => 'Koha::ArticleRequests',
value => { borrowernumber => $patron->id }
}
);
my $reason = 'A reason';
my $notes = 'Some notes';
$t->delete_ok(
"//$userid:$password@/api/v1/public/patrons/$patron_id/article_requests/"
. $article_request->id
. "?cancellation_reason=$reason&notes=$notes" )
->status_is( 204, 'SWAGGER3.2.4' )
->content_is( q{}, 'SWAGGER3.2.4' );
# refresh object
$article_request->discard_changes;
is( $article_request->cancellation_reason, $reason, 'Reason stored correctly' );
is( $article_request->notes, $notes, 'Notes stored correctly' );
$schema->storage->txn_rollback;
};