From b4c6ad6603b712d910a0c872139a371a453eb074 Mon Sep 17 00:00:00 2001 From: Julian Maurice Date: Mon, 31 Aug 2015 17:00:52 +0200 Subject: [PATCH] Bug 13799: Add cookie-based authentication to REST API Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Tomas Cohen Arazi --- Koha/REST/V1.pm | 14 +++++++++++--- Koha/REST/V1/Borrowers.pm | 22 ++++++++++++++++++---- api/v1/swagger.json | 12 ++++++++++++ 3 files changed, 41 insertions(+), 7 deletions(-) diff --git a/Koha/REST/V1.pm b/Koha/REST/V1.pm index 39cdab90d1..7d7102d74f 100644 --- a/Koha/REST/V1.pm +++ b/Koha/REST/V1.pm @@ -3,15 +3,23 @@ package Koha::REST::V1; use Modern::Perl; use Mojo::Base 'Mojolicious'; +use C4::Auth qw( check_cookie_auth get_session ); +use Koha::Borrowers; + sub startup { my $self = shift; my $route = $self->routes->under->to( cb => sub { my $c = shift; - my $user = $c->param('user'); - # Do the authentication stuff here... - $c->stash('user', $user); + + my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID')); + if ($status eq "ok") { + my $session = get_session($sessionID); + my $user = Koha::Borrowers->find($session->param('number')); + $c->stash('koha.user' => $user); + } + return 1; } ); diff --git a/Koha/REST/V1/Borrowers.pm b/Koha/REST/V1/Borrowers.pm index b58ad2a978..8857df4483 100644 --- a/Koha/REST/V1/Borrowers.pm +++ b/Koha/REST/V1/Borrowers.pm @@ -4,11 +4,17 @@ use Modern::Perl; use Mojo::Base 'Mojolicious::Controller'; +use C4::Auth qw( haspermission ); use Koha::Borrowers; sub list_borrowers { my ($c, $args, $cb) = @_; + my $user = $c->stash('koha.user'); + unless ($user && haspermission($user->userid, {borrowers => 1})) { + return $c->$cb({error => "You don't have the required permission"}, 403); + } + my $borrowers = Koha::Borrowers->search; $c->$cb($borrowers->unblessed, 200); @@ -17,13 +23,21 @@ sub list_borrowers { sub get_borrower { my ($c, $args, $cb) = @_; - my $borrower = Koha::Borrowers->find($args->{borrowernumber}); + my $user = $c->stash('koha.user'); - if ($borrower) { - return $c->$cb($borrower->unblessed, 200); + unless ( $user + && ( $user->borrowernumber == $args->{borrowernumber} + || haspermission($user->userid, {borrowers => 1}) ) ) + { + return $c->$cb({error => "You don't have the required permission"}, 403); + } + + my $borrower = Koha::Borrowers->find($args->{borrowernumber}); + unless ($borrower) { + return $c->$cb({error => "Borrower not found"}, 404); } - $c->$cb({error => "Borrower not found"}, 404); + return $c->$cb($borrower->unblessed, 200); } 1; diff --git a/api/v1/swagger.json b/api/v1/swagger.json index 9672f153fe..a20cb20fca 100644 --- a/api/v1/swagger.json +++ b/api/v1/swagger.json @@ -31,6 +31,12 @@ "$ref": "#/definitions/borrower" } } + }, + "403": { + "description": "Access forbidden", + "schema": { + "$ref": "#/definitions/error" + } } } } @@ -55,6 +61,12 @@ "$ref": "#/definitions/borrower" } }, + "403": { + "description": "Access forbidden", + "schema": { + "$ref": "#/definitions/error" + } + }, "404": { "description": "Borrower not found", "schema": { -- 2.39.5