From 5a5d1b80890a50fdd1a11867bbd9f4c246ee8600 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Mon, 31 Aug 2020 09:43:09 -0300 Subject: [PATCH] Bug 26322: Permissions not checked correctly for plugins MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patch fixes the logic in a condition to address the fact that permissions are not checked for plugins. This was due to bad parenthesis pairing and the lack of good tests for this. To test: 1. Apply the regression tests patch 2. Run: $ kshell k$ prove t/db_dependent/Koha/REST/Plugin/PluginRoutes.t => FAIL: Tests fail because of bad logic 3. Apply this patch 4. Repeat (2) => SUCCESS: Tests pass! 5. Verify the tests cover the use cases that are needed: - Anonymous access - Real user with wrong permissions (parameters => 1) - Real user with right permissions (borrowers => 1) => SUCCESS: Needed use cases so we catch any regression are found 6. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: Joonas Kylmälä Signed-off-by: Martin Renvoize Signed-off-by: Lucas Gass Signed-off-by: Lucas Gass (cherry picked from commit 66402643d7cb95bf5ebc4832bff61becfa3d5a6a) --- Koha/REST/V1/Auth.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 9f137af35b..a28fb5920c 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -255,7 +255,7 @@ sub authenticate_api_request { if ( !$authorization and ( $params->{is_public} and ( C4::Context->preference('RESTPublicAnonymousRequests') or - $user) ) or $params->{is_plugin} ) { + $user) or $params->{is_plugin} ) ) { # We do not need any authorization # Check the parameters validate_query_parameters( $c, $spec ); -- 2.39.5