From bbd153d68853152c473d7e206c2f73403bf6c4c2 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Fri, 19 Nov 2021 13:13:59 -0300 Subject: [PATCH] Bug 29523: Make Koha::Object->to_api respect accessibility This patch makes the *to_api* method honour the accessibility check for the object. This is relevant in the context of embedding single objects. The Koha::Patron->to_api method is adjusted to reflect this behavior as well (it does some manipulation after the ->to_api call and we need to prevent it). To test: 1. Apply up to the regression tests 2. Run: $ kshell k$ prove t/db_dependent/Koha/Object.t => FAIL: A patron, that shouldn't be accessed, is returned by ->to_api 3. Apply this patch 4. Repeat 2 => SUCCESS: Tests pass! 6. Pick Henry Acevedo from the sample data, assign him 'catalogue' permissions and a know user/password combination 7. Enable basic authentication 8. Point your favourite tool (Postman?) to GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts Set the following header: x-koha-embed: patron Pick whatever biblio you want, actually. => SUCCESS: No checkouts 9. Perform a couple checkouts on the chosen biblio. Make sure one checkout is for a patron on the same library as Henry, and the other on a different one. 10. Repeat 8 => SUCCESS: You see two checkouts. One of them has an attribute 'patron' containing the patron from Henry's library. The other, has the attribute set to 'null'. 11. Sign off :-D Signed-off-by: Tomas Cohen Arazi Signed-off-by: David Nind Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi Signed-off-by: Jonathan Druart Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- Koha/Object.pm | 3 +++ Koha/Patron.pm | 2 ++ 2 files changed, 5 insertions(+) diff --git a/Koha/Object.pm b/Koha/Object.pm index 2b1d2e2938..12b16eb8d7 100644 --- a/Koha/Object.pm +++ b/Koha/Object.pm @@ -551,6 +551,9 @@ Returns a representation of the object, suitable for API output. sub to_api { my ( $self, $params ) = @_; + + return unless $self->accessible; + my $json_object = $self->TO_JSON; # Make sure we duplicate the $params variable to avoid diff --git a/Koha/Patron.pm b/Koha/Patron.pm index 902c6995d3..4e63c4f261 100644 --- a/Koha/Patron.pm +++ b/Koha/Patron.pm @@ -2288,6 +2288,8 @@ sub to_api { my $json_patron = $self->SUPER::to_api( $params ); + return unless $json_patron; + $json_patron->{restricted} = ( $self->is_debarred ) ? Mojo::JSON->true : Mojo::JSON->false; -- 2.39.5