From 3d743c5f542764fae02541e04014f45145a5335d Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 19 Oct 2021 10:29:55 -0300 Subject: [PATCH] Bug 29272: Make public password changing honour category constraints This patch makes the public API routes validate $user->category->effective_change_password before allowing the change. To test: 1. Apply the regression tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/patrons_password.t => FAIL: Tests fail, it allows the first change instead of returning 403. 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 5. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart Signed-off-by: Kyle M Hall --- Koha/REST/V1/Patrons/Password.pm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Koha/REST/V1/Patrons/Password.pm b/Koha/REST/V1/Patrons/Password.pm index 82531d9d49..00ac034f1a 100644 --- a/Koha/REST/V1/Patrons/Password.pm +++ b/Koha/REST/V1/Patrons/Password.pm @@ -90,6 +90,7 @@ sub set_public { my $body = $c->validation->param('body'); my $patron_id = $c->validation->param('patron_id'); + # short-circuit early unless ( C4::Context->preference('OpacPasswordChange') ) { return $c->render( status => 403, @@ -108,6 +109,15 @@ sub set_public { ); } + unless ( $user->category->effective_change_password ) { + return $c->render( + status => 403, + openapi => { + error => "Changing password is forbidden" + } + ); + } + my $old_password = $body->{old_password}; my $password = $body->{password}; my $password_2 = $body->{password_repeated}; -- 2.39.5