From 7c2def7573d8b74763daebb1024bc2ad2016cb55 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Mon, 31 Aug 2020 09:43:09 -0300 Subject: [PATCH] Bug 26322: Permissions not checked correctly for plugins MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch fixes the logic in a condition to address the fact that permissions are not checked for plugins. This was due to bad parenthesis pairing and the lack of good tests for this. To test: 1. Apply the regression tests patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/REST/Plugin/PluginRoutes.t => FAIL: Tests fail because of bad logic 3. Apply this patch 4. Repeat (2) => SUCCESS: Tests pass! 5. Verify the tests cover the use cases that are needed: - Anonymous access - Real user with wrong permissions (parameters => 1) - Real user with right permissions (borrowers => 1) => SUCCESS: Needed use cases so we catch any regression are found 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: Joonas Kylmälä Signed-off-by: Martin Renvoize Signed-off-by: Jonathan Druart --- Koha/REST/V1/Auth.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 9f137af35b..a28fb5920c 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -255,7 +255,7 @@ sub authenticate_api_request { if ( !$authorization and ( $params->{is_public} and ( C4::Context->preference('RESTPublicAnonymousRequests') or - $user) ) or $params->{is_plugin} ) { + $user) or $params->{is_plugin} ) ) { # We do not need any authorization # Check the parameters validate_query_parameters( $c, $spec ); -- 2.39.5