From 469ce36cda97ce854b93e187fa033b0a3e27a8c3 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Mon, 12 Feb 2024 09:54:04 +0000 Subject: [PATCH] Bug 36066: Only allow cancelled order deletion in API Note: I had trouble with listing orders in API without status, although formally not required according specs. Test plan: Run t/db_dependent/api/v1/acquisitions_orders.t Signed-off-by: Marcel de Rooy Signed-off-by: David Nind Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Katrin Fischer (cherry picked from commit dcbda39c0a77a35b2bc4684a286bf26254046877) Signed-off-by: Fridolin Somers (cherry picked from commit 1c556d6ed1ab6d0512ec3317ca5963205fca716b) Signed-off-by: Lucas Gass --- Koha/REST/V1/Acquisitions/Orders.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Koha/REST/V1/Acquisitions/Orders.pm b/Koha/REST/V1/Acquisitions/Orders.pm index 0155a38922..371132acca 100644 --- a/Koha/REST/V1/Acquisitions/Orders.pm +++ b/Koha/REST/V1/Acquisitions/Orders.pm @@ -183,7 +183,9 @@ sub update { =head3 delete -Controller function that handles deleting a Koha::Patron object +Controller function that handles deleting a Koha::Acquisition::Order object + +Note that we only allow deletion when the status is cancelled. =cut @@ -197,6 +199,12 @@ sub delete { status => 404, openapi => { error => 'Order not found' } ); + } elsif ( ( $order->orderstatus && $order->orderstatus ne 'cancelled' ) || !$order->datecancellationprinted ) { + # Koha may (historically) have inconsistent order data here (e.g. cancelled without date) + return $c->render( + status => 403, + openapi => { error => 'Order status must be cancelled' } + ); } return try { -- 2.39.5