3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it
6 # under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # Koha is distributed in the hope that it will be useful, but
11 # WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with Koha; if not, see <http://www.gnu.org/licenses>.
20 use Test::More tests => 7;
24 use t::lib::TestBuilder;
29 use Koha::Patron::Debarments qw/AddDebarment/;
31 my $schema = Koha::Database->new->schema;
32 my $builder = t::lib::TestBuilder->new;
34 my $t = Test::Mojo->new('Koha::REST::V1');
35 t::lib::Mocks::mock_preference( 'RESTBasicAuth', 1 );
37 subtest 'list() tests' => sub {
40 $schema->storage->txn_begin;
41 unauthorized_access_tests('GET', undef, undef);
42 $schema->storage->txn_rollback;
44 subtest 'librarian access tests' => sub {
47 $schema->storage->txn_begin;
49 my $librarian = $builder->build_object(
51 class => 'Koha::Patrons',
52 value => { flags => 2**4 } # borrowers flag = 4
55 my $password = 'thePassword123';
56 $librarian->set_password( { password => $password, skip_validation => 1 } );
57 my $userid = $librarian->userid;
59 $t->get_ok("//$userid:$password@/api/v1/patrons")
62 $t->get_ok("//$userid:$password@/api/v1/patrons?cardnumber=" . $librarian->cardnumber)
64 ->json_is('/0/cardnumber' => $librarian->cardnumber);
66 $t->get_ok("//$userid:$password@/api/v1/patrons?address2=" . $librarian->address2)
68 ->json_is('/0/address2' => $librarian->address2);
70 my $patron = $builder->build_object({ class => 'Koha::Patrons' });
71 AddDebarment({ borrowernumber => $patron->borrowernumber });
73 $t->get_ok("//$userid:$password@/api/v1/patrons?restricted=" . Mojo::JSON->true . "&cardnumber=" . $patron->cardnumber )
75 ->json_has('/0/restricted')
76 ->json_is( '/0/restricted' => Mojo::JSON->true )
79 $schema->storage->txn_rollback;
83 subtest 'get() tests' => sub {
86 $schema->storage->txn_begin;
87 unauthorized_access_tests('GET', -1, undef);
88 $schema->storage->txn_rollback;
90 subtest 'librarian access tests' => sub {
93 $schema->storage->txn_begin;
95 my $librarian = $builder->build_object(
97 class => 'Koha::Patrons',
98 value => { flags => 2**4 } # borrowers flag = 4
101 my $password = 'thePassword123';
102 $librarian->set_password( { password => $password, skip_validation => 1 } );
103 my $userid = $librarian->userid;
105 my $patron = $builder->build_object({ class => 'Koha::Patrons' });
107 $t->get_ok("//$userid:$password@/api/v1/patrons/" . $patron->id)
109 ->json_is('/patron_id' => $patron->id)
110 ->json_is('/category_id' => $patron->categorycode )
111 ->json_is('/surname' => $patron->surname)
112 ->json_is('/patron_card_lost' => Mojo::JSON->false );
114 $schema->storage->txn_rollback;
118 subtest 'add() tests' => sub {
121 $schema->storage->txn_begin;
123 my $patron = $builder->build_object( { class => 'Koha::Patrons' } )->to_api;
125 unauthorized_access_tests('POST', undef, $patron);
127 $schema->storage->txn_rollback;
129 subtest 'librarian access tests' => sub {
132 $schema->storage->txn_begin;
134 my $patron = $builder->build_object({ class => 'Koha::Patrons' });
135 my $newpatron = $patron->to_api;
136 # delete RO attributes
137 delete $newpatron->{patron_id};
138 delete $newpatron->{restricted};
139 delete $newpatron->{anonymized};
141 # Create a library just to make sure its ID doesn't exist on the DB
142 my $library_to_delete = $builder->build_object({ class => 'Koha::Libraries' });
143 my $deleted_library_id = $library_to_delete->id;
145 $library_to_delete->delete;
147 my $librarian = $builder->build_object(
149 class => 'Koha::Patrons',
150 value => { flags => 2**4 } # borrowers flag = 4
153 my $password = 'thePassword123';
154 $librarian->set_password( { password => $password, skip_validation => 1 } );
155 my $userid = $librarian->userid;
157 $newpatron->{library_id} = $deleted_library_id;
160 $t->post_ok("//$userid:$password@/api/v1/patrons" => json => $newpatron)
162 ->json_is('/error' => "Duplicate ID"); }
163 qr/DBD::mysql::st execute failed: Duplicate entry/;
165 $newpatron->{library_id} = $patron->branchcode;
167 # Create a library just to make sure its ID doesn't exist on the DB
168 my $category_to_delete = $builder->build_object({ class => 'Koha::Patron::Categories' });
169 my $deleted_category_id = $category_to_delete->id;
171 $category_to_delete->delete;
173 $newpatron->{category_id} = $deleted_category_id; # Test invalid patron category
175 $t->post_ok("//$userid:$password@/api/v1/patrons" => json => $newpatron)
177 ->json_is('/error' => "Given category_id does not exist");
178 $newpatron->{category_id} = $patron->categorycode;
180 $newpatron->{falseproperty} = "Non existent property";
182 $t->post_ok("//$userid:$password@/api/v1/patrons" => json => $newpatron)
185 delete $newpatron->{falseproperty};
187 my $patron_to_delete = $builder->build_object({ class => 'Koha::Patrons' });
188 $newpatron = $patron_to_delete->to_api;
189 # delete RO attributes
190 delete $newpatron->{patron_id};
191 delete $newpatron->{restricted};
192 delete $newpatron->{anonymized};
193 $patron_to_delete->delete;
195 $t->post_ok("//$userid:$password@/api/v1/patrons" => json => $newpatron)
196 ->status_is(201, 'Patron created successfully')
198 Location => qr|^\/api\/v1\/patrons/\d*|,
201 ->json_has('/patron_id', 'got a patron_id')
202 ->json_is( '/cardnumber' => $newpatron->{ cardnumber })
203 ->json_is( '/surname' => $newpatron->{ surname })
204 ->json_is( '/firstname' => $newpatron->{ firstname });
207 $t->post_ok("//$userid:$password@/api/v1/patrons" => json => $newpatron)
209 ->json_has( '/error', 'Fails when trying to POST duplicate cardnumber' )
210 ->json_like( '/conflict' => qr/(borrowers\.)?cardnumber/ ); }
211 qr/DBD::mysql::st execute failed: Duplicate entry '(.*?)' for key '(borrowers\.)?cardnumber'/;
213 $schema->storage->txn_rollback;
217 subtest 'update() tests' => sub {
220 $schema->storage->txn_begin;
221 unauthorized_access_tests('PUT', 123, {email => 'nobody@example.com'});
222 $schema->storage->txn_rollback;
224 subtest 'librarian access tests' => sub {
227 $schema->storage->txn_begin;
229 my $authorized_patron = $builder->build_object(
231 class => 'Koha::Patrons',
232 value => { flags => 1 }
235 my $password = 'thePassword123';
236 $authorized_patron->set_password(
237 { password => $password, skip_validation => 1 } );
238 my $userid = $authorized_patron->userid;
240 my $unauthorized_patron = $builder->build_object(
242 class => 'Koha::Patrons',
243 value => { flags => 0 }
246 $unauthorized_patron->set_password( { password => $password, skip_validation => 1 } );
247 my $unauth_userid = $unauthorized_patron->userid;
249 my $patron_1 = $authorized_patron;
250 my $patron_2 = $unauthorized_patron;
251 my $newpatron = $unauthorized_patron->to_api;
252 # delete RO attributes
253 delete $newpatron->{patron_id};
254 delete $newpatron->{restricted};
255 delete $newpatron->{anonymized};
257 $t->put_ok("//$userid:$password@/api/v1/patrons/-1" => json => $newpatron)
259 ->json_has('/error', 'Fails when trying to PUT nonexistent patron');
261 # Create a library just to make sure its ID doesn't exist on the DB
262 my $category_to_delete = $builder->build_object({ class => 'Koha::Patron::Categories' });
263 my $deleted_category_id = $category_to_delete->id;
265 $category_to_delete->delete;
267 # Use an invalid category
268 $newpatron->{category_id} = $deleted_category_id;
270 $t->put_ok("//$userid:$password@/api/v1/patrons/" . $patron_2->borrowernumber => json => $newpatron)
272 ->json_is('/error' => "Given category_id does not exist");
274 # Restore the valid category
275 $newpatron->{category_id} = $patron_2->categorycode;
277 # Create a library just to make sure its ID doesn't exist on the DB
278 my $library_to_delete = $builder->build_object({ class => 'Koha::Libraries' });
279 my $deleted_library_id = $library_to_delete->id;
281 $library_to_delete->delete;
283 # Use an invalid library_id
284 $newpatron->{library_id} = $deleted_library_id;
287 $t->put_ok("//$userid:$password@/api/v1/patrons/" . $patron_2->borrowernumber => json => $newpatron)
289 ->json_is('/error' => "Given library_id does not exist"); }
290 qr/DBD::mysql::st execute failed: Cannot add or update a child row: a foreign key constraint fails/;
292 # Restore the valid library_id
293 $newpatron->{library_id} = $patron_2->branchcode;
295 # Use an invalid attribute
296 $newpatron->{falseproperty} = "Non existent property";
298 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $patron_2->borrowernumber => json => $newpatron )
300 ->json_is('/errors/0/message' =>
301 'Properties not allowed: falseproperty.');
303 # Get rid of the invalid attribute
304 delete $newpatron->{falseproperty};
306 # Set both cardnumber and userid to already existing values
307 $newpatron->{cardnumber} = $patron_1->cardnumber;
308 $newpatron->{userid} = $patron_1->userid;
311 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $patron_2->borrowernumber => json => $newpatron )
313 ->json_has( '/error', "Fails when trying to update to an existing cardnumber or userid")
314 ->json_like( '/conflict' => qr/(borrowers\.)?cardnumber/ ); }
315 qr/DBD::mysql::st execute failed: Duplicate entry '(.*?)' for key '(borrowers\.)?cardnumber'/;
317 $newpatron->{ cardnumber } = $patron_1->id . $patron_2->id;
318 $newpatron->{ userid } = "user" . $patron_1->id.$patron_2->id;
319 $newpatron->{ surname } = "user" . $patron_1->id.$patron_2->id;
321 my $result = $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $patron_2->borrowernumber => json => $newpatron )
322 ->status_is(200, 'Patron updated successfully');
324 # Put back the RO attributes
325 $newpatron->{patron_id} = $unauthorized_patron->to_api->{patron_id};
326 $newpatron->{restricted} = $unauthorized_patron->to_api->{restricted};
327 $newpatron->{anonymized} = $unauthorized_patron->to_api->{anonymized};
328 is_deeply($result->tx->res->json, $newpatron, 'Returned patron from update matches expected');
330 is(Koha::Patrons->find( $patron_2->id )->cardnumber,
331 $newpatron->{ cardnumber }, 'Patron is really updated!');
333 my $superlibrarian = $builder->build_object(
335 class => 'Koha::Patrons',
336 value => { flags => 1 }
340 $newpatron->{cardnumber} = $superlibrarian->cardnumber;
341 $newpatron->{userid} = $superlibrarian->userid;
342 $newpatron->{email} = 'nosense@no.no';
345 $authorized_patron->flags( 2**4 )->store; # borrowers flag = 4
346 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
347 ->status_is(403, "Non-superlibrarian user change of superlibrarian email forbidden")
348 ->json_is( { error => "Not enough privileges to change a superlibrarian's email" } );
351 $newpatron->{email} = undef;
352 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
353 ->status_is(403, "Non-superlibrarian user change of superlibrarian email forbidden")
354 ->json_is( { error => "Not enough privileges to change a superlibrarian's email to undefined" } );
356 $newpatron->{email} = $superlibrarian->email;
357 $newpatron->{secondary_email} = 'nonsense@no.no';
360 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
361 ->status_is(403, "Non-superlibrarian user change of superlibrarian secondary_email forbidden")
362 ->json_is( { error => "Not enough privileges to change a superlibrarian's secondary_email" } );
365 $newpatron->{secondary_email} = undef;
366 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
367 ->status_is(403, "Non-superlibrarian user change of superlibrarian secondary_email forbidden")
368 ->json_is( { error => "Not enough privileges to change a superlibrarian's secondary_email to undefined" } );
370 $newpatron->{secondary_email} = $superlibrarian->emailpro;
371 $newpatron->{altaddress_email} = 'nonsense@no.no';
374 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
375 ->status_is(403, "Non-superlibrarian user change of superlibrarian altaddress_email forbidden")
376 ->json_is( { error => "Not enough privileges to change a superlibrarian's altaddress_email" } );
379 $newpatron->{altaddress_email} = undef;
380 $t->put_ok( "//$userid:$password@/api/v1/patrons/" . $superlibrarian->borrowernumber => json => $newpatron )
381 ->status_is(403, "Non-superlibrarian user change of superlibrarian altaddress_email forbidden")
382 ->json_is( { error => "Not enough privileges to change a superlibrarian's altaddress_email to undefined" } );
384 $schema->storage->txn_rollback;
388 subtest 'delete() tests' => sub {
391 $schema->storage->txn_begin;
392 unauthorized_access_tests('DELETE', 123, undef);
393 $schema->storage->txn_rollback;
395 subtest 'librarian access test' => sub {
398 $schema->storage->txn_begin;
400 my $authorized_patron = $builder->build_object(
402 class => 'Koha::Patrons',
403 value => { flags => 2**4 } # borrowers flag = 4
406 my $password = 'thePassword123';
407 $authorized_patron->set_password(
408 { password => $password, skip_validation => 1 } );
409 my $userid = $authorized_patron->userid;
411 $t->delete_ok("//$userid:$password@/api/v1/patrons/-1")
412 ->status_is(404, 'Patron not found');
414 my $patron = $builder->build_object({ class => 'Koha::Patrons' });
416 $t->delete_ok("//$userid:$password@/api/v1/patrons/" . $patron->borrowernumber)
417 ->status_is(204, 'SWAGGER3.2.4')
418 ->content_is('', 'SWAGGER3.3.4');
420 $schema->storage->txn_rollback;
424 subtest 'guarantors_can_see_charges() tests' => sub {
428 t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 );
429 t::lib::Mocks::mock_preference( 'RESTBasicAuth', 1 );
431 $schema->storage->txn_begin;
433 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { privacy_guarantor_fines => 0 } });
434 my $password = 'thePassword123';
435 $patron->set_password({ password => $password, skip_validation => 1 });
436 my $userid = $patron->userid;
437 my $patron_id = $patron->borrowernumber;
439 t::lib::Mocks::mock_preference( 'AllowPatronToSetFinesVisibilityForGuarantor', 0 );
441 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_charges" => json => { allowed => Mojo::JSON->true } )
443 ->json_is( '/error', 'The current configuration doesn\'t allow the requested action.' );
445 t::lib::Mocks::mock_preference( 'AllowPatronToSetFinesVisibilityForGuarantor', 1 );
447 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_charges" => json => { allowed => Mojo::JSON->true } )
451 ok( $patron->discard_changes->privacy_guarantor_fines, 'privacy_guarantor_fines has been set correctly' );
453 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_charges" => json => { allowed => Mojo::JSON->false } )
457 ok( !$patron->discard_changes->privacy_guarantor_fines, 'privacy_guarantor_fines has been set correctly' );
459 $schema->storage->txn_rollback;
462 subtest 'guarantors_can_see_checkouts() tests' => sub {
466 t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 );
467 t::lib::Mocks::mock_preference( 'RESTBasicAuth', 1 );
469 $schema->storage->txn_begin;
471 my $patron = $builder->build_object({ class => 'Koha::Patrons', value => { privacy_guarantor_checkouts => 0 } });
472 my $password = 'thePassword123';
473 $patron->set_password({ password => $password, skip_validation => 1 });
474 my $userid = $patron->userid;
475 my $patron_id = $patron->borrowernumber;
477 t::lib::Mocks::mock_preference( 'AllowPatronToSetCheckoutsVisibilityForGuarantor', 0 );
479 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_checkouts" => json => { allowed => Mojo::JSON->true } )
481 ->json_is( '/error', 'The current configuration doesn\'t allow the requested action.' );
483 t::lib::Mocks::mock_preference( 'AllowPatronToSetCheckoutsVisibilityForGuarantor', 1 );
485 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_checkouts" => json => { allowed => Mojo::JSON->true } )
489 ok( $patron->discard_changes->privacy_guarantor_checkouts, 'privacy_guarantor_checkouts has been set correctly' );
491 $t->put_ok( "//$userid:$password@/api/v1/public/patrons/$patron_id/guarantors/can_see_checkouts" => json => { allowed => Mojo::JSON->false } )
495 ok( !$patron->discard_changes->privacy_guarantor_checkouts, 'privacy_guarantor_checkouts has been set correctly' );
497 $schema->storage->txn_rollback;
500 # Centralized tests for 401s and 403s assuming the endpoint requires
501 # borrowers flag for access
502 sub unauthorized_access_tests {
503 my ($verb, $patron_id, $json) = @_;
505 my $endpoint = '/api/v1/patrons';
506 $endpoint .= ($patron_id) ? "/$patron_id" : '';
508 subtest 'unauthorized access tests' => sub {
511 my $verb_ok = lc($verb) . '_ok';
513 $t->$verb_ok($endpoint => json => $json)
516 my $unauthorized_patron = $builder->build_object(
518 class => 'Koha::Patrons',
519 value => { flags => 0 }
522 my $password = "thePassword123!";
523 $unauthorized_patron->set_password(
524 { password => $password, skip_validation => 1 } );
525 my $unauth_userid = $unauthorized_patron->userid;
527 $t->$verb_ok( "//$unauth_userid:$password\@$endpoint" => json => $json )
529 ->json_has('/required_permissions');