From e6cd5ae59f5f075b89b7fc7ee5a06e8ecfd9d3eb Mon Sep 17 00:00:00 2001
From: Lari Taskula <lari.taskula@hypernova.fi>
Date: Wed, 18 Sep 2024 11:13:23 +0000
Subject: [PATCH] Bug 28907: REST - Remove allow-owner from public checkout
 availability route

To test:
1. prove t/db_dependent/api/v1/checkouts.t
2. Apply patch
3. prove t/db_dependent/api/v1/checkouts.t

Observe success in both cases.

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Alex Buckley <alexbuckley@catalyst.net.nz>
---
 Koha/REST/V1/Checkouts.pm           | 11 ++++++++++-
 api/v1/swagger/paths/checkouts.yaml |  2 --
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Koha/REST/V1/Checkouts.pm b/Koha/REST/V1/Checkouts.pm
index 793453613e..086fa68022 100644
--- a/Koha/REST/V1/Checkouts.pm
+++ b/Koha/REST/V1/Checkouts.pm
@@ -153,7 +153,16 @@ sub get_availability {
     my $c = shift->openapi->valid_input or return;
     my $user = $c->stash('koha.user');
 
-    my $patron = Koha::Patrons->find( $c->param('patron_id') );
+    my $patron_id = $c->param('patron_id');
+
+    return if try {
+        $c->auth->public($patron_id) if $c->stash('is_public');
+        return 0;    # authorization successful, do not "return" after try-catch
+    } catch {
+        return $c->unhandled_exception($_);
+    };
+
+    my $patron = Koha::Patrons->find($patron_id);
     my $item   = Koha::Items->find( $c->param('item_id') );
 
     my ( $impossible, $confirmation, $warnings ) =
diff --git a/api/v1/swagger/paths/checkouts.yaml b/api/v1/swagger/paths/checkouts.yaml
index 24199736e1..6afadce078 100644
--- a/api/v1/swagger/paths/checkouts.yaml
+++ b/api/v1/swagger/paths/checkouts.yaml
@@ -447,5 +447,3 @@
         description: Under maintenance
         schema:
           $ref: "../swagger.yaml#/definitions/error"
-    x-koha-authorization:
-      allow-owner: true
-- 
2.39.5