From 33de3ef9dcc8d2c0b021b2da80a2c6673cd06e82 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Wed, 1 Mar 2023 16:42:30 +0000 Subject: [PATCH] Bug 32713: Throw exception on unexpected x-koha-embed header This patch adds an exception to stash_embed that is thrown when we find an x-koha-embed header that we're not expecting. Signed-off-by: Jonathan Druart Signed-off-by: Tomas Cohen Arazi --- Koha/REST/Plugin/Query.pm | 20 +++++++++++++++++--- Koha/REST/V1/Auth.pm | 2 +- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/Koha/REST/Plugin/Query.pm b/Koha/REST/Plugin/Query.pm index 5ce0da42f3..432a0d8fab 100644 --- a/Koha/REST/Plugin/Query.pm +++ b/Koha/REST/Plugin/Query.pm @@ -228,7 +228,7 @@ Merges parameters from $q_params into $filtered_params. =head3 stash_embed - $c->stash_embed(); + $c->stash_embed( { spec => $op_spec } ); Unwraps and stashes the x-koha-embed headers for use later query construction @@ -237,14 +237,28 @@ Unwraps and stashes the x-koha-embed headers for use later query construction $app->helper( 'stash_embed' => sub { - my ( $c ) = @_; + my ( $c, $args ) = @_; + my $embed_header = $c->req->headers->header('x-koha-embed'); + return $c unless $embed_header; + + my $spec = $args->{spec} // {}; + my $embed_spec; + for my $param ( @{ $spec->{parameters} } ) { + next unless $param->{name} eq 'x-koha-embed'; + $embed_spec = $param->{items}->{enum}; + } + Koha::Exceptions::BadParameter->throw( + "Embedding objects is not allowed on this endpoint.") + unless defined($embed_spec); + if ($embed_header) { my $THE_embed = {}; foreach my $embed_req ( split /\s*,\s*/, $embed_header ) { if ( $embed_req eq '+strings' ) { # special case $c->stash( 'koha.strings' => 1 ); - } else { + } + else { _merge_embed( _parse_embed($embed_req), $THE_embed ); } } diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 8e8a6f675c..1b2a9c090b 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -157,7 +157,7 @@ sub authenticate_api_request { # TODO: remove the latter 'openapi.op_spec' if minimum version is bumped to at least 1.17. my $spec = $c->openapi->spec || $c->match->endpoint->pattern->defaults->{'openapi.op_spec'}; - $c->stash_embed(); + $c->stash_embed( { spec => $spec } ); $c->stash_overrides(); my $cookie_auth = 0; -- 2.39.5