985265c0be
When user does not have required permissions to use API operation, it would be useful to let them know which permissions he is missing. Since they are now defined in Swagger, we can easily render them into the response. To test: 1. Use a patron without any permissions 2. Make GET request to http://yourlib/api/v1/patrons 3. Observe permission error and see that required_permissions are displayed. 4. Run t/db_dependent/api/v1/patrons.t Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
132 lines
4.1 KiB
Perl
132 lines
4.1 KiB
Perl
#!/usr/bin/env perl
|
|
|
|
# This file is part of Koha.
|
|
#
|
|
# Koha is free software; you can redistribute it and/or modify it under the
|
|
# terms of the GNU General Public License as published by the Free Software
|
|
# Foundation; either version 3 of the License, or (at your option) any later
|
|
# version.
|
|
#
|
|
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
|
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License along
|
|
# with Koha; if not, write to the Free Software Foundation, Inc.,
|
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
|
use Modern::Perl;
|
|
|
|
use Test::More tests => 20;
|
|
use Test::Mojo;
|
|
use t::lib::TestBuilder;
|
|
|
|
use C4::Auth;
|
|
use C4::Context;
|
|
|
|
use Koha::Database;
|
|
use Koha::Patron;
|
|
|
|
my $builder = t::lib::TestBuilder->new();
|
|
|
|
my $dbh = C4::Context->dbh;
|
|
$dbh->{AutoCommit} = 0;
|
|
$dbh->{RaiseError} = 1;
|
|
|
|
$ENV{REMOTE_ADDR} = '127.0.0.1';
|
|
my $t = Test::Mojo->new('Koha::REST::V1');
|
|
|
|
my $categorycode = $builder->build({ source => 'Category' })->{ categorycode };
|
|
my $branchcode = $builder->build({ source => 'Branch' })->{ branchcode };
|
|
my $guarantor = $builder->build({
|
|
source => 'Borrower',
|
|
value => {
|
|
branchcode => $branchcode,
|
|
categorycode => $categorycode,
|
|
flags => 0,
|
|
}
|
|
});
|
|
my $borrower = $builder->build({
|
|
source => 'Borrower',
|
|
value => {
|
|
branchcode => $branchcode,
|
|
categorycode => $categorycode,
|
|
flags => 0,
|
|
guarantorid => $guarantor->{borrowernumber},
|
|
}
|
|
});
|
|
|
|
$t->get_ok('/api/v1/patrons')
|
|
->status_is(401);
|
|
|
|
$t->get_ok("/api/v1/patrons/" . $borrower->{ borrowernumber })
|
|
->status_is(401);
|
|
|
|
my $session = C4::Auth::get_session('');
|
|
$session->param('number', $borrower->{ borrowernumber });
|
|
$session->param('id', $borrower->{ userid });
|
|
$session->param('ip', '127.0.0.1');
|
|
$session->param('lasttime', time());
|
|
$session->flush;
|
|
|
|
my $session2 = C4::Auth::get_session('');
|
|
$session2->param('number', $guarantor->{ borrowernumber });
|
|
$session2->param('id', $guarantor->{ userid });
|
|
$session2->param('ip', '127.0.0.1');
|
|
$session2->param('lasttime', time());
|
|
$session2->flush;
|
|
|
|
my $tx = $t->ua->build_tx(GET => '/api/v1/patrons');
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
|
|
$t->request_ok($tx)
|
|
->status_is(403);
|
|
|
|
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . ($borrower->{ borrowernumber }-1));
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
|
|
$t->request_ok($tx)
|
|
->status_is(403)
|
|
->json_is('/required_permissions', {"borrowers" => "1"});
|
|
|
|
# User without permissions, but is the owner of the object
|
|
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{borrowernumber});
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
|
|
$t->request_ok($tx)
|
|
->status_is(200);
|
|
|
|
# User without permissions, but is the guarantor of the owner of the object
|
|
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{borrowernumber});
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session2->id});
|
|
$t->request_ok($tx)
|
|
->status_is(200)
|
|
->json_is('/guarantorid', $guarantor->{borrowernumber});
|
|
|
|
my $loggedinuser = $builder->build({
|
|
source => 'Borrower',
|
|
value => {
|
|
branchcode => $branchcode,
|
|
categorycode => $categorycode,
|
|
flags => 16 # borrowers flag
|
|
}
|
|
});
|
|
|
|
$session = C4::Auth::get_session('');
|
|
$session->param('number', $loggedinuser->{ borrowernumber });
|
|
$session->param('id', $loggedinuser->{ userid });
|
|
$session->param('ip', '127.0.0.1');
|
|
$session->param('lasttime', time());
|
|
$session->flush;
|
|
|
|
$tx = $t->ua->build_tx(GET => '/api/v1/patrons');
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
|
|
$tx->req->env({REMOTE_ADDR => '127.0.0.1'});
|
|
$t->request_ok($tx)
|
|
->status_is(200);
|
|
|
|
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{ borrowernumber });
|
|
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
|
|
$t->request_ok($tx)
|
|
->status_is(200)
|
|
->json_is('/borrowernumber' => $borrower->{ borrowernumber })
|
|
->json_is('/surname' => $borrower->{ surname });
|
|
|
|
$dbh->rollback;
|