From 7071bb814950954cb25564fe17a78245cbb4387c Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 19 Nov 2019 13:16:16 -0300 Subject: [PATCH] Bug 23634: Secure the email on the API Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Marcel de Rooy Signed-off-by: Lucas Gass (cherry picked from commit 624aa55ff33e6fe228ca806f8eb9c6592ab8cdbc) --- Koha/REST/V1/Patrons.pm | 9 +++++++++ t/db_dependent/api/v1/patrons.t | 20 ++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/Koha/REST/V1/Patrons.pm b/Koha/REST/V1/Patrons.pm index 331ced1464..591a170404 100644 --- a/Koha/REST/V1/Patrons.pm +++ b/Koha/REST/V1/Patrons.pm @@ -205,6 +205,15 @@ sub update { } return try { + my $body = $c->validation->param('body'); + my $user = $c->stash('koha.user'); + + if ( $patron->is_superlibrarian and !$user->is_superlibrarian ) { + return $c->render( + status => 403, + openapi => { error => "Not enough privileges to change a superlibrarian's email" } + ) if $body->{email} ne $patron->email ; + } $patron->set_from_api($c->validation->param('body'))->store; $patron->discard_changes; diff --git a/t/db_dependent/api/v1/patrons.t b/t/db_dependent/api/v1/patrons.t index 5a76988fae..a70fbc9625 100644 --- a/t/db_dependent/api/v1/patrons.t +++ b/t/db_dependent/api/v1/patrons.t @@ -222,14 +222,14 @@ subtest 'update() tests' => sub { $schema->storage->txn_rollback; subtest 'librarian access tests' => sub { - plan tests => 22; + plan tests => 25; $schema->storage->txn_begin; my $authorized_patron = $builder->build_object( { class => 'Koha::Patrons', - value => { flags => 2**4 } # borrowers flag = 4 + value => { flags => 1 } } ); my $password = 'thePassword123'; @@ -330,6 +330,22 @@ subtest 'update() tests' => sub { is(Koha::Patrons->find( $patron_2->id )->cardnumber, $newpatron->{ cardnumber }, 'Patron is really updated!'); + my $superlibrarian = $builder->build_object( + { + class => 'Koha::Patrons', + value => { flags => 1 } + } + ); + + $newpatron->{cardnumber} = $superlibrarian->cardnumber; + $newpatron->{userid} = $superlibrarian->userid; + $newpatron->{email} = 'nosense@no.no'; + + $authorized_patron->flags( 2**4 )->store; # borrowers flag = 4 + $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron ) + ->status_is(403, "Non-superlibrarian user change of superlibrarian email forbidden") + ->json_is( { error => "Not enough privileges to change a superlibrarian's email" } ); + $schema->storage->txn_rollback; }; }; -- 2.39.5