From bc2fa03d5c63cfadc7d9f318d3ca718574c391f2 Mon Sep 17 00:00:00 2001
From: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Date: Wed, 20 Sep 2023 13:47:19 +0100
Subject: [PATCH] Bug 34287: Amend unit test

This patch updates the unit test to confirm that checkout availability
should be restricted to the patron checking the availability options on
the public side.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 t/db_dependent/api/v1/checkouts.t | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/t/db_dependent/api/v1/checkouts.t b/t/db_dependent/api/v1/checkouts.t
index cd62c00fde..d97c9a9ae6 100755
--- a/t/db_dependent/api/v1/checkouts.t
+++ b/t/db_dependent/api/v1/checkouts.t
@@ -336,18 +336,28 @@ subtest 'get_availability' => sub {
     %needsconfirmation = ();
 
     subtest 'public availability' => sub {
-        plan tests => 18;
+        plan tests => 22;
 
-        # Available, Not authentication required
-        $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(200)
-            ->json_is( '/blockers' => {} )->json_is( '/confirms' => {} )->json_is( '/warnings' => {} )
+        # Authentication required
+        $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(401);
+
+        # Only allow availability lookup for self
+        $t->get_ok(
+            "//$userid:$password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id"
+        )->status_is(403);
+
+        # All ok
+        $t->get_ok(
+            "//$unauth_userid:$unauth_password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id"
+        )->status_is(200)->json_is( '/blockers' => {} )->json_is( '/confirms' => {} )->json_is( '/warnings' => {} )
             ->json_has('/confirmation_token');
 
         # Needs confirmation upgrade to blocker
         %needsconfirmation = ( TOO_MANY => 1, ISSUED_TO_ANOTHER => 1 );
-        $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(200)
-            ->json_is( '/blockers' => { TOO_MANY => 1, ISSUED_TO_ANOTHER => 1 } )->json_is( '/confirms' => {} )
-            ->json_is( '/warnings' => {} )->json_has('/confirmation_token');
+        $t->get_ok(
+            "//$unauth_userid:$unauth_password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id"
+        )->status_is(200)->json_is( '/blockers' => { TOO_MANY => 1, ISSUED_TO_ANOTHER => 1 } )
+            ->json_is( '/confirms' => {} )->json_is( '/warnings' => {} )->json_has('/confirmation_token');
         %needsconfirmation = ();
 
         # Remove personal information from public endpoint
@@ -394,8 +404,9 @@ subtest 'get_availability' => sub {
             ressurname            => 'private',
             item_notforloan       => 'private'
         );
-        $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(200)
-            ->json_is( '/blockers' => {} )->json_is( '/confirms' => {} )->json_is( '/warnings' => {} )
+        $t->get_ok(
+            "//$unauth_userid:$unauth_password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id"
+        )->status_is(200)->json_is( '/blockers' => {} )->json_is( '/confirms' => {} )->json_is( '/warnings' => {} )
             ->json_has('/confirmation_token');
         %issuingimpossible = ();
         %alerts            = ();
-- 
2.39.2