From 8083bc2ff0629dce8301330e144a61fee35d9836 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Tue, 29 Jan 2019 11:07:06 -0300 Subject: [PATCH] Bug 22216: Make GET /patrons/{patron_id} staff only This patch removes the possibility to access the patron object identified by patron_id by the patron itself, or a guarantor. It does so by removing the permissions from the spec. The tests are adjusted to remove that use case. To test: - Apply this patch - Run: $ kshell k$ prove t/db_dependent/api/v1/patrons.t => SUCCESS: Tests pass! - Sign off :-D Signed-off-by: Martin Renvoize Signed-off-by: Josef Moravec Signed-off-by: Nick Clemens --- api/v1/swagger/paths/patrons.json | 2 -- t/db_dependent/api/v1/patrons.t | 33 +------------------------------ 2 files changed, 1 insertion(+), 34 deletions(-) diff --git a/api/v1/swagger/paths/patrons.json b/api/v1/swagger/paths/patrons.json index 4a710d6924..27bd08f69f 100644 --- a/api/v1/swagger/paths/patrons.json +++ b/api/v1/swagger/paths/patrons.json @@ -571,8 +571,6 @@ } }, "x-koha-authorization": { - "allow-owner": true, - "allow-guarantor": true, "permissions": { "borrowers": "edit_borrowers" } diff --git a/t/db_dependent/api/v1/patrons.t b/t/db_dependent/api/v1/patrons.t index 8b28d7720d..6e0b557c87 100644 --- a/t/db_dependent/api/v1/patrons.t +++ b/t/db_dependent/api/v1/patrons.t @@ -94,43 +94,12 @@ subtest 'list() tests' => sub { }; subtest 'get() tests' => sub { - plan tests => 3; + plan tests => 2; $schema->storage->txn_begin; unauthorized_access_tests('GET', -1, undef); $schema->storage->txn_rollback; - subtest 'access own object tests' => sub { - plan tests => 4; - - $schema->storage->txn_begin; - - my ( $patron_id, $session_id ) = create_user_and_session({ authorized => 0 }); - - # Access patron's own data even though they have no borrowers flag - my $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $patron_id); - $tx->req->cookies({ name => 'CGISESSID', value => $session_id }); - $tx->req->env({ REMOTE_ADDR => '127.0.0.1' }); - $t->request_ok($tx) - ->status_is(200); - - my $guarantee = $builder->build_object({ - class => 'Koha::Patrons', - value => { - guarantorid => $patron_id, - } - }); - - # Access guarantee's data even though guarantor has no borrowers flag - $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $guarantee->id ); - $tx->req->cookies({ name => 'CGISESSID', value => $session_id }); - $tx->req->env({ REMOTE_ADDR => '127.0.0.1' }); - $t->request_ok($tx) - ->status_is(200); - - $schema->storage->txn_rollback; - }; - subtest 'librarian access tests' => sub { plan tests => 6; -- 2.39.5