From 1477ffc7529277f49791966451dcb9a1c798b017 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Fri, 26 Nov 2021 15:35:05 +0000 Subject: [PATCH] Bug 29523: Pass the logged user around and use for validating In this patch I add 'user', containing the Koha::Patron object for the logged in user in the params hash we pass around in to_api. I then use that in a new 'is_accessible' method added to Koha::Patron. The new method is really the equivilent of 'search_limited' in the plural class and could perhaps be renamed 'is_limited' or something clearer for the singular form 'is_filtered' or 'fitler_for_api' or something? Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- Koha/Object.pm | 20 ++++++-------------- Koha/Patron.pm | 24 ++++++++++++++++++++++++ Koha/REST/Plugin/Objects.pm | 6 +++++- t/db_dependent/Koha/Object.t | 22 +++++++++++----------- 4 files changed, 46 insertions(+), 26 deletions(-) diff --git a/Koha/Object.pm b/Koha/Object.pm index 12b16eb8d7..b1895c060e 100644 --- a/Koha/Object.pm +++ b/Koha/Object.pm @@ -552,7 +552,7 @@ Returns a representation of the object, suitable for API output. sub to_api { my ( $self, $params ) = @_; - return unless $self->accessible; + return unless $self->is_accessible($params); my $json_object = $self->TO_JSON; @@ -993,26 +993,18 @@ sub _handle_to_api_child { return $res; } -=head3 accessible +=head3 is_accessible - if ( $object->accessible ) { ... } + if ( $object->is_accessible ) { ... } -Whether the object should be accessible in the current context (requesting user). -It relies on the plural class properly implementing the I method. +Stub method that is expected to be overloaded (if required) by implementing classes. =cut -sub accessible { +sub is_accessible { my ($self) = @_; - return $self->_get_objects_class->search_limited( - { - map { $_ => $self->$_ } - $self->_result->result_source->primary_columns - } - )->count > 0 - ? 1 - : 0; + return 1; } sub DESTROY { } diff --git a/Koha/Patron.pm b/Koha/Patron.pm index 4e63c4f261..63bfb7c508 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -2274,6 +2274,30 @@ sub set_default_messaging_preferences { return $self; } +=head3 is_accessible + + if ( $patron->is_accessible({ user => $logged_in_user }) ) { ... } + +This overloaded method validates wether the current I object can be accessed +by the logged in user. + +Returns 0 if the I parameter is missing. + +=cut + +sub is_accessible { + my ( $self, $params ) = @_; + + # FIXME? It felt tempting to return 0 instead + # but it would mean needing to explicitly add the 'user' + # param in all tests... + return 1 + unless $params->{user}; + + my $consumer = $params->{user}; + return $consumer->can_see_patron_infos($self); +} + =head3 to_api my $json = $patron->to_api; diff --git a/Koha/REST/Plugin/Objects.pm b/Koha/REST/Plugin/Objects.pm index 116d4f7d1d..32dab06d4b 100644 --- a/Koha/REST/Plugin/Objects.pm +++ b/Koha/REST/Plugin/Objects.pm @@ -316,11 +316,15 @@ Returns the API representation of the passed resultset. my $embed = $c->stash('koha.embed'); my $strings = $c->stash('koha.strings'); + # Grab user + my $user = $c->stash('koha.user'); + return $object->to_api( { embed => $embed, public => $public, - strings => $strings + strings => $strings, + user => $user } ); } diff --git a/t/db_dependent/Koha/Object.t b/t/db_dependent/Koha/Object.t index 0d16c2fa01..f890c22f74 100755 --- a/t/db_dependent/Koha/Object.t +++ b/t/db_dependent/Koha/Object.t @@ -385,16 +385,16 @@ subtest "to_api() tests" => sub { my $patron_api = $patron->to_api( { - embed => { holds_count => { is_count => 1 } } + embed => { holds_count => { is_count => 1 } }, + user => $patron } ); is( $patron_api->{holds_count}, $patron->holds->count, 'Count embeds are supported and work as expected' ); - throws_ok - { - $patron->to_api({ embed => { holds_count => {} } }); - } - 'Koha::Exceptions::Object::MethodNotCoveredByTests', + throws_ok { + $patron->to_api( { embed => { holds_count => {} }, user => $patron } ); + } + 'Koha::Exceptions::Object::MethodNotCoveredByTests', 'Unknown method exception thrown if is_count not specified'; subtest 'unprivileged request tests' => sub { @@ -564,8 +564,8 @@ subtest "to_api() tests" => sub { t::lib::Mocks::mock_userenv( { patron => $patron } ); - is( ref($patron_1->to_api), 'HASH', 'Returns the object hash' ); - is( $patron_2->to_api, undef, 'Not accessible, returns undef' ); + is( ref($patron_1->to_api({ user => $patron })), 'HASH', 'Returns the object hash' ); + is( $patron_2->to_api({ user => $patron }), undef, 'Not accessible, returns undef' ); $schema->storage->txn_rollback; }; @@ -1156,7 +1156,7 @@ subtest 'messages() and add_message() tests' => sub { $schema->storage->txn_rollback; }; -subtest 'accessible() tests' => sub { +subtest 'is_accessible() tests' => sub { plan tests => 2; @@ -1184,8 +1184,8 @@ subtest 'accessible() tests' => sub { t::lib::Mocks::mock_userenv( { patron => $patron } ); - ok( $patron_1->accessible, 'Has access to the patron' ); - ok( !$patron_2->accessible, 'Does not have access to the patron' ); + ok( $patron_1->is_accessible( { user => $patron } ), 'Has access to the patron' ); + ok( !$patron_2->is_accessible( { user => $patron } ), 'Does not have access to the patron' ); $schema->storage->txn_rollback; }; -- 2.39.5