]> git.koha-community.org Git - koha.git/commit
Bug 14868: Give users possibility to request their own object
authorLari Taskula <larit@student.uef.fi>
Fri, 17 Jun 2016 08:43:52 +0000 (11:43 +0300)
committerKyle M Hall <kyle@bywatersolutions.com>
Fri, 2 Sep 2016 12:20:36 +0000 (12:20 +0000)
commitcac40ca7027f9701d4f820481c3b1a577ca3eb61
tree0fba631540cd7a1807896f8379b6171acdf66109
parentac1286dacdf92239ee91bf7932356adca7c486d2
Bug 14868: Give users possibility to request their own object

Allow access to user's own objects even if they do not have required permissions.
This will be very useful in many cases where an user wants to request their own
object, for example renewing their checkouts or placing a hold for themselves.

First, this patch renames "x-koha-permission" to "x-koha-authorization" in order
to describe the new functionality better.

Second, we can now add two extra parameters under "x-koha-authorization":
- "allow-owner"; Allows the owner of object to access it (without permission)
- "allow-guarantor"; Allows guarantor of the owner of object to access it
                     (without permission)

Third, since permission checking is outside of actual controller, we need a way
to find out ownership from different types of parameters, e.g. checkout_id from
/checkouts/{checkout_id}, borrowernumber from /patrons/{borrowernumber} etc.
A solution is to match the parameter with a subroutine that is designed to verify
the ownership for that object. See the new subroutines in Koha::REST::V1.

To use this functionality you will simply define it in Swagger:
"/patrons/{borrowernumber}": {
  "get": {
    ...,
    "x-koha-authorization": {
      "allow-owner": true,
      "permissions": {
        "borrowers": "1"
      }
    }
  }
}

If a parameter that is not yet defined in Koha::REST::V1::check_object_ownership,
you also need to define it and implement a subroutine that determines ownership.

Tests are provided in a following patch that adds this functionality for current
API operations.

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Koha/REST/V1.pm