From 82e0edd87606ce05511b33ddeeea10f2b9e68f3d Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 17 Oct 2023 09:07:28 -0300 Subject: [PATCH] Bug 35053: Make sure request is checked as an item-level request if item_id passed This patch makes the validation code have the `$item` variable defined when checking holdability, in the case both `item_id` and `biblio_id` params are passed. Otherwise, if the requested item is not holdable, but a biblio-level hold *could* be placed, the item-level hold is placed. This is highlighted by the regression tests. To test: 1. Apply the regression tests patch 2. Run: $ ktd --shell k$ prove t/db_dependent/api/v1/holds.t => FAIL: Tests don't pass. A request that should be rejected is allowed because biblio-level hold is allowed. 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! Item-level rules are checked and thus the request rejected (code 403) 5. Sign off :-D Signed-off-by: David Nind Signed-off-by: Nick Clemens Signed-off-by: Tomas Cohen Arazi --- Koha/REST/V1/Holds.pm | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Koha/REST/V1/Holds.pm b/Koha/REST/V1/Holds.pm index 543de87a32..ff162cd945 100644 --- a/Koha/REST/V1/Holds.pm +++ b/Koha/REST/V1/Holds.pm @@ -91,18 +91,16 @@ sub add { if ( $item_id and $biblio_id ) { + $biblio = Koha::Biblios->find($biblio_id); + $item = $biblio->items->find($item_id); + # check they are consistent - unless ( Koha::Items->search( { itemnumber => $item_id, biblionumber => $biblio_id } ) - ->count > 0 ) - { + unless ($item) { return $c->render( status => 400, openapi => { error => "Item $item_id doesn't belong to biblio $biblio_id" } ); } - else { - $biblio = Koha::Biblios->find($biblio_id); - } } elsif ($item_id) { $item = Koha::Items->find($item_id); -- 2.39.5