1 package Koha::REST::V1;
3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 use Mojo::Base 'Mojolicious';
21 use C4::Auth qw( check_cookie_auth get_session haspermission );
23 use Koha::Account::Lines;
31 Koha::REST::V1 - Main v.1 REST api class
39 Overloaded Mojolicious->startup method. It is called at application startup.
46 # Force charset=utf8 in Content-Type header for JSON responses
47 $self->types->type(json => 'application/json; charset=utf8');
49 my $secret_passphrase = C4::Context->config('api_secret_passphrase');
50 if ($secret_passphrase) {
51 $self->secrets([$secret_passphrase]);
54 $self->plugin(Swagger2 => {
55 url => $self->home->rel_file("api/v1/swagger/swagger.json"),
61 =head3 authenticate_api_request
63 Validates authentication and allows access if authorization is not required or
64 if authorization is required and user has required permissions to access.
66 This subroutine is called before every request to API.
70 sub authenticate_api_request {
71 my ($next, $c, $action_spec) = @_;
74 my $cookie = $c->cookie('CGISESSID');
75 # Mojo doesn't use %ENV the way CGI apps do
76 # Manually pass the remote_address to check_auth_cookie
77 my $remote_addr = $c->tx->remote_address;
78 my ($status, $sessionID) = check_cookie_auth(
80 { remote_addr => $remote_addr });
81 if ($status eq "ok") {
82 $session = get_session($sessionID);
83 $user = Koha::Patrons->find($session->param('number'));
84 $c->stash('koha.user' => $user);
87 return $c->render_swagger(
88 { error => "Authentication failure." },
91 ) if $cookie and $action_spec->{'x-koha-authorization'};
94 # Check for malformed query parameters
96 my %valid_parameters = map { $_->{name} => 1 if $_->{in} eq 'query' } @{$action_spec->{parameters}};
97 my $existing_params = $c->req->query_params->to_hash;
98 for my $param ( keys %{$existing_params} ) {
99 push @errors, { path => "/query/".$param, message => 'Malformed query string' } unless exists $valid_parameters{$param};
101 return $c->render_swagger({},\@errors,400) if @errors;
103 return $next->($c) unless $action_spec->{'x-koha-authorization'};
105 return $c->render_swagger({ error => "Authentication required." },{},401);
108 my $authorization = $action_spec->{'x-koha-authorization'};
109 my $permissions = $authorization->{'permissions'};
110 return $next->($c) if C4::Auth::haspermission($user->userid, $permissions);
111 return $next->($c) if allow_owner($c, $authorization, $user);
112 return $next->($c) if allow_guarantor($c, $authorization, $user);
113 return $c->render_swagger(
114 { error => "Authorization failure. Missing required permission(s).",
115 required_permissions => $permissions },
123 Allows access to object for its owner.
125 There are endpoints that should allow access for the object owner even if they
126 do not have the required permission, e.g. access an own reserve. This can be
127 achieved by defining the operation as follows:
129 "/holds/{reserve_id}": {
132 "x-koha-authorization": {
144 my ($c, $authorization, $user) = @_;
146 return unless $authorization->{'allow-owner'};
148 return check_object_ownership($c, $user) if $user and $c;
151 =head3 allow_guarantor
153 Same as "allow_owner", but checks if the object is owned by one of C<$user>'s
158 sub allow_guarantor {
159 my ($c, $authorization, $user) = @_;
161 if (!$c || !$user || !$authorization || !$authorization->{'allow-guarantor'}){
165 my $guarantees = $user->guarantees->as_list;
166 foreach my $guarantee (@{$guarantees}) {
167 return 1 if check_object_ownership($c, $guarantee);
171 =head3 check_object_ownership
173 Determines ownership of an object from request parameters.
175 As introducing an endpoint that allows access for object's owner; if the
176 parameter that will be used to determine ownership is not already inside
177 $parameters, add a new subroutine that checks the ownership and extend
178 $parameters to contain a key with parameter_name and a value of a subref to
179 the subroutine that you created.
183 sub check_object_ownership {
186 return if not $c or not $user;
189 accountlines_id => \&_object_ownership_by_accountlines_id,
190 borrowernumber => \&_object_ownership_by_borrowernumber,
191 checkout_id => \&_object_ownership_by_checkout_id,
192 reserve_id => \&_object_ownership_by_reserve_id,
195 foreach my $param ( keys %{ $parameters } ) {
196 my $check_ownership = $parameters->{$param};
197 if ($c->stash($param)) {
198 return &$check_ownership($c, $user, $c->stash($param));
200 elsif ($c->param($param)) {
201 return &$check_ownership($c, $user, $c->param($param));
203 elsif ($c->req->json && $c->req->json->{$param}) {
204 return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
209 =head3 _object_ownership_by_accountlines_id
211 Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
216 sub _object_ownership_by_accountlines_id {
217 my ($c, $user, $accountlines_id) = @_;
219 my $accountline = Koha::Account::Lines->find($accountlines_id);
220 return $accountline && $user->borrowernumber == $accountline->borrowernumber;
223 =head3 _object_ownership_by_borrowernumber
225 Compares C<$borrowernumber> to currently logged in C<$user>.
229 sub _object_ownership_by_borrowernumber {
230 my ($c, $user, $borrowernumber) = @_;
232 return $user->borrowernumber == $borrowernumber;
235 =head3 _object_ownership_by_checkout_id
237 First, attempts to find a Koha::Issue-object by C<$issue_id>. If we find one,
238 compare its borrowernumber to currently logged in C<$user>. However, if an issue
239 is not found, attempt to find a Koha::OldIssue-object instead and compare its
240 borrowernumber to currently logged in C<$user>.
244 sub _object_ownership_by_checkout_id {
245 my ($c, $user, $issue_id) = @_;
247 my $issue = Koha::Issues->find($issue_id);
248 $issue = Koha::OldIssues->find($issue_id) unless $issue;
249 return $issue && $issue->borrowernumber
250 && $user->borrowernumber == $issue->borrowernumber;
253 =head3 _object_ownership_by_reserve_id
255 Finds a Koha::Hold-object by C<$reserve_id> and checks if it
258 TODO: Also compare against old_reserves
262 sub _object_ownership_by_reserve_id {
263 my ($c, $user, $reserve_id) = @_;
265 my $reserve = Koha::Holds->find($reserve_id);
266 return $reserve && $user->borrowernumber == $reserve->borrowernumber;