Bug 22227: Make GET /cities staff only
[koha.git] / t / db_dependent / api / v1 / cities.t
1 #!/usr/bin/env perl
2
3 # This file is part of Koha.
4 #
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
8 # version.
9 #
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
17
18 use Modern::Perl;
19
20 use Test::More tests => 5;
21 use Test::Mojo;
22 use Test::Warn;
23
24 use t::lib::TestBuilder;
25 use t::lib::Mocks;
26
27 use C4::Auth;
28 use Koha::Cities;
29 use Koha::Database;
30
31 my $schema  = Koha::Database->new->schema;
32 my $builder = t::lib::TestBuilder->new;
33
34 # FIXME: sessionStorage defaults to mysql, but it seems to break transaction handling
35 # this affects the other REST api tests
36 t::lib::Mocks::mock_preference( 'SessionStorage', 'tmp' );
37
38 my $remote_address = '127.0.0.1';
39 my $t              = Test::Mojo->new('Koha::REST::V1');
40
41 subtest 'list() tests' => sub {
42
43     plan tests => 18;
44
45     $schema->storage->txn_begin;
46
47     Koha::Cities->search->delete;
48     my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
49
50     ## Authorized user tests
51     # No cities, so empty array should be returned
52     my $tx = $t->ua->build_tx( GET => '/api/v1/cities' );
53     $tx->req->cookies( { name => 'CGISESSID', value => $session_id } );
54     $tx->req->env( { REMOTE_ADDR => $remote_address } );
55     $t->request_ok($tx)
56       ->status_is(200)
57       ->json_is( [] );
58
59     my $city = $builder->build_object({ class => 'Koha::Cities' });
60
61     # One city created, should get returned
62     $tx = $t->ua->build_tx( GET => '/api/v1/cities' );
63     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
64     $tx->req->env({ REMOTE_ADDR => $remote_address });
65     $t->request_ok($tx)
66       ->status_is(200)
67       ->json_is( [Koha::REST::V1::Cities::_to_api( $city->TO_JSON )] );
68
69     my $another_city = $builder->build_object(
70         { class => 'Koha::Cities', value => { city_country => $city->city_country } } );
71     my $city_with_another_country = $builder->build_object({ class => 'Koha::Cities' });
72
73     # Two cities created, they should both be returned
74     $tx = $t->ua->build_tx( GET => '/api/v1/cities' );
75     $tx->req->cookies( { name => 'CGISESSID', value => $session_id } );
76     $tx->req->env( { REMOTE_ADDR => $remote_address } );
77     $t->request_ok($tx)->status_is(200)
78       ->json_is([Koha::REST::V1::Cities::_to_api($city->TO_JSON),
79                  Koha::REST::V1::Cities::_to_api($another_city->TO_JSON),
80                  Koha::REST::V1::Cities::_to_api($city_with_another_country->TO_JSON)
81                  ] );
82
83     # Filtering works, two cities sharing city_country
84     $tx = $t->ua->build_tx( GET => "/api/v1/cities?country=" . $city->city_country );
85     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
86     $tx->req->env({ REMOTE_ADDR => $remote_address });
87     $t->request_ok($tx)
88       ->status_is(200)
89       ->json_is([ Koha::REST::V1::Cities::_to_api($city->TO_JSON),
90                   Koha::REST::V1::Cities::_to_api($another_city->TO_JSON)
91                   ]);
92
93     $tx = $t->ua->build_tx( GET => "/api/v1/cities?name=" . $city->city_name );
94     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
95     $tx->req->env({ REMOTE_ADDR => $remote_address });
96     $t->request_ok($tx)
97       ->status_is(200)
98       ->json_is( [Koha::REST::V1::Cities::_to_api($city->TO_JSON)] );
99
100     # Warn on unsupported query parameter
101     $tx = $t->ua->build_tx( GET => '/api/v1/cities?city_blah=blah' );
102     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
103     $tx->req->env({ REMOTE_ADDR => $remote_address });
104     $t->request_ok($tx)
105       ->status_is(400)
106       ->json_is( [{ path => '/query/city_blah', message => 'Malformed query string'}] );
107
108     $schema->storage->txn_rollback;
109 };
110
111 subtest 'get() tests' => sub {
112
113     plan tests => 6;
114
115     $schema->storage->txn_begin;
116
117     my $city = $builder->build_object({ class => 'Koha::Cities' });
118     my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
119
120     my $tx = $t->ua->build_tx( GET => "/api/v1/cities/" . $city->id );
121     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
122     $tx->req->env({ REMOTE_ADDR => $remote_address });
123     $t->request_ok($tx)
124       ->status_is(200)
125       ->json_is(Koha::REST::V1::Cities::_to_api($city->TO_JSON));
126
127     my $city_to_delete = $builder->build_object({ class => 'Koha::Cities' });
128     my $non_existent_id = $city_to_delete->id;
129     $city_to_delete->delete;
130
131     $tx = $t->ua->build_tx( GET => "/api/v1/cities/" . $non_existent_id );
132     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
133     $tx->req->env({ REMOTE_ADDR => $remote_address });
134     $t->request_ok($tx)
135       ->status_is(404)
136       ->json_is( '/error' => 'City not found' );
137
138     $schema->storage->txn_rollback;
139 };
140
141 subtest 'add() tests' => sub {
142
143     plan tests => 17;
144
145     $schema->storage->txn_begin;
146
147     my ( $unauthorized_borrowernumber, $unauthorized_session_id ) =
148       create_user_and_session( { authorized => 0 } );
149     my ( $authorized_borrowernumber, $authorized_session_id ) =
150       create_user_and_session( { authorized => 1 } );
151     my $city = {
152         name        => "City Name",
153         state       => "City State",
154         postal_code => "City Zipcode",
155         country     => "City Country"
156     };
157
158     # Unauthorized attempt to write
159     my $tx = $t->ua->build_tx( POST => "/api/v1/cities/" => json => $city );
160     $tx->req->cookies({ name => 'CGISESSID', value => $unauthorized_session_id });
161     $tx->req->env({ REMOTE_ADDR => $remote_address });
162     $t->request_ok($tx)
163       ->status_is(403);
164
165     # Authorized attempt to write invalid data
166     my $city_with_invalid_field = {
167         blah        => "City Blah",
168         state       => "City State",
169         postal_code => "City Zipcode",
170         country     => "City Country"
171     };
172
173     $tx = $t->ua->build_tx( POST => "/api/v1/cities/" => json => $city_with_invalid_field );
174     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
175     $tx->req->env( { REMOTE_ADDR => $remote_address } );
176     $t->request_ok($tx)
177       ->status_is(400)
178       ->json_is(
179         "/errors" => [
180             {
181                 message => "Properties not allowed: blah.",
182                 path    => "/body"
183             }
184         ]
185       );
186
187     # Authorized attempt to write
188     $tx = $t->ua->build_tx( POST => "/api/v1/cities/" => json => $city );
189     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
190     $tx->req->env({ REMOTE_ADDR => $remote_address });
191     my $city_id =
192       $t->request_ok($tx)
193         ->status_is(200)
194         ->json_is( '/name'        => $city->{name} )
195         ->json_is( '/state'       => $city->{state} )
196         ->json_is( '/postal_code' => $city->{postal_code} )
197         ->json_is( '/country'     => $city->{country} )
198         ->tx->res->json->{city_id};
199
200     # Authorized attempt to create with null id
201     $city->{city_id} = undef;
202     $tx = $t->ua->build_tx( POST => "/api/v1/cities/" => json => $city );
203     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
204     $tx->req->env({ REMOTE_ADDR => $remote_address });
205     $t->request_ok($tx)
206       ->status_is(400)
207       ->json_has('/errors');
208
209     # Authorized attempt to create with existing id
210     $city->{city_id} = $city_id;
211     $tx = $t->ua->build_tx( POST => "/api/v1/cities/" => json => $city );
212     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
213     $tx->req->env({ REMOTE_ADDR => $remote_address });
214     $t->request_ok($tx)
215       ->status_is(400)
216       ->json_is(
217         "/errors" => [
218             {
219                 message => "Read-only.",
220                 path    => "/body/city_id"
221             }
222         ]
223     );
224
225     $schema->storage->txn_rollback;
226 };
227
228 subtest 'update() tests' => sub {
229
230     plan tests => 15;
231
232     $schema->storage->txn_begin;
233
234     my ( $unauthorized_borrowernumber, $unauthorized_session_id ) =
235       create_user_and_session( { authorized => 0 } );
236     my ( $authorized_borrowernumber, $authorized_session_id ) =
237       create_user_and_session( { authorized => 1 } );
238
239     my $city_id = $builder->build_object({ class => 'Koha::Cities' } )->id;
240
241     # Unauthorized attempt to update
242     my $tx = $t->ua->build_tx( PUT => "/api/v1/cities/$city_id" => json =>
243           { name => 'New unauthorized name change' } );
244     $tx->req->cookies({ name => 'CGISESSID', value => $unauthorized_session_id });
245     $tx->req->env({ REMOTE_ADDR => $remote_address });
246     $t->request_ok($tx)
247       ->status_is(403);
248
249     # Attempt partial update on a PUT
250     my $city_with_missing_field = {
251         name    => 'New name',
252         state   => 'New state',
253         country => 'New country'
254     };
255
256     $tx = $t->ua->build_tx(
257         PUT => "/api/v1/cities/$city_id" => json => $city_with_missing_field );
258     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
259     $tx->req->env({ REMOTE_ADDR => $remote_address });
260     $t->request_ok($tx)->status_is(400)
261       ->json_is( "/errors" =>
262           [ { message => "Missing property.", path => "/body/postal_code" } ]
263       );
264
265     # Full object update on PUT
266     my $city_with_updated_field = {
267         name        => "London",
268         state       => "City State",
269         postal_code => "City Zipcode",
270         country     => "City Country"
271     };
272
273     $tx = $t->ua->build_tx( PUT => "/api/v1/cities/$city_id" => json => $city_with_updated_field );
274     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
275     $tx->req->env({ REMOTE_ADDR => $remote_address });
276     $t->request_ok($tx)
277       ->status_is(200)
278       ->json_is( '/name' => 'London' );
279
280     # Authorized attempt to write invalid data
281     my $city_with_invalid_field = {
282         blah        => "City Blah",
283         state       => "City State",
284         postal_code => "City Zipcode",
285         country     => "City Country"
286     };
287
288     $tx = $t->ua->build_tx( PUT => "/api/v1/cities/$city_id" => json => $city_with_invalid_field );
289     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
290     $tx->req->env({ REMOTE_ADDR => $remote_address });
291     $t->request_ok($tx)
292       ->status_is(400)
293       ->json_is(
294         "/errors" => [
295             {
296                 message => "Properties not allowed: blah.",
297                 path    => "/body"
298             }
299         ]
300     );
301
302     my $city_to_delete = $builder->build_object({ class => 'Koha::Cities' });
303     my $non_existent_id = $city_to_delete->id;
304     $city_to_delete->delete;
305
306     $tx = $t->ua->build_tx( PUT => "/api/v1/cities/$non_existent_id" => json =>
307           $city_with_updated_field );
308     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
309     $tx->req->env({ REMOTE_ADDR => $remote_address });
310     $t->request_ok($tx)
311       ->status_is(404);
312
313     $schema->storage->txn_rollback;
314
315     # Wrong method (POST)
316     $city_with_updated_field->{city_id} = 2;
317
318     $tx = $t->ua->build_tx(
319         POST => "/api/v1/cities/$city_id" => json => $city_with_updated_field );
320     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
321     $tx->req->env({ REMOTE_ADDR => $remote_address });
322     $t->request_ok($tx)
323       ->status_is(404);
324 };
325
326 subtest 'delete() tests' => sub {
327
328     plan tests => 7;
329
330     $schema->storage->txn_begin;
331
332     my ( $unauthorized_borrowernumber, $unauthorized_session_id ) =
333       create_user_and_session( { authorized => 0 } );
334     my ( $authorized_borrowernumber, $authorized_session_id ) =
335       create_user_and_session( { authorized => 1 } );
336
337     my $city_id = $builder->build_object({ class => 'Koha::Cities' })->id;
338
339     # Unauthorized attempt to delete
340     my $tx = $t->ua->build_tx( DELETE => "/api/v1/cities/$city_id" );
341     $tx->req->cookies({ name => 'CGISESSID', value => $unauthorized_session_id });
342     $tx->req->env({ REMOTE_ADDR => $remote_address });
343     $t->request_ok($tx)
344       ->status_is(403);
345
346     $tx = $t->ua->build_tx( DELETE => "/api/v1/cities/$city_id" );
347     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
348     $tx->req->env({ REMOTE_ADDR => $remote_address });
349     $t->request_ok($tx)
350       ->status_is(200)
351       ->content_is('""');
352
353     $tx = $t->ua->build_tx( DELETE => "/api/v1/cities/$city_id" );
354     $tx->req->cookies({ name => 'CGISESSID', value => $authorized_session_id });
355     $tx->req->env({ REMOTE_ADDR => $remote_address });
356     $t->request_ok($tx)
357       ->status_is(404);
358
359     $schema->storage->txn_rollback;
360 };
361
362 sub create_user_and_session {
363
364     my $args  = shift;
365     my $flags = ( $args->{authorized} ) ? $args->{authorized} : 0;
366     my $dbh   = C4::Context->dbh;
367
368     my $user = $builder->build(
369         {
370             source => 'Borrower',
371             value  => {
372                 flags => $flags
373             }
374         }
375     );
376
377     # Create a session for the authorized user
378     my $session = C4::Auth::get_session('');
379     $session->param( 'number',   $user->{borrowernumber} );
380     $session->param( 'id',       $user->{userid} );
381     $session->param( 'ip',       '127.0.0.1' );
382     $session->param( 'lasttime', time() );
383     $session->flush;
384
385     if ( $args->{authorized} ) {
386         $dbh->do( "
387             INSERT INTO user_permissions (borrowernumber,module_bit,code)
388             VALUES (?,3,'parameters_remaining_permissions')", undef,
389             $user->{borrowernumber} );
390     }
391
392     return ( $user->{borrowernumber}, $session->id );
393 }
394