Bug 28907: REST - Drop support for allow-owner functionality
...and allow-guarantor functionality. Replaced by $c->auth->public($patron_id)
and/or $c->auth->public_guarantor($patron_id), where $patron_id is the patron's
id that owns the requested resource.
Old method, was applicable to both privileged and public routes:
api/v1/swagger/paths/route.yaml
x-koha-authorization:
allow-owner: true
allow-guarantor: true
New method, use public routes with no x-koha-authorization:
GET /public/route/{patron_id}
Koha/REST/V1/Controller#public_action:
sub public_action {
my $c = shift->openapi->valid_input or return;
my $patron_id = $c->param( 'patron_id' );
try {
# Throws an exception that will render a response of 401 if not
# authenticated and 403 if trying to access another user's resources
$c->auth->public($patron_id); #or $c->auth->public_guarantor($patron_id)
...
# other code
...
}
catch {
$c->unhandled_exception($_);
}
}
Another example of retrieving $patron_id when patron_id is not a request
parameter:
GET /public/another/object/{another_object_id}
my $patron_id = Another::Object->find($another_object_id)->borrowernumber;
try {
# 403 if $another_object_id does not belong to API user
$c->auth->public($patron_id);
...
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
(cherry picked from commit
8a1c0af3e49ecf0921121f410ca7bcff5350a983)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
projects / koha.git / commit