From ee2931a7b09d9c707e93f43ed784ac4e833290bd Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Wed, 2 Jan 2019 15:05:47 -0300 Subject: [PATCH] Bug 22061: Add a /public namespace that can be switched on/off This patch adds a check in Koha::REST::V1::Auth::under to catch all routes that begin with 'public' (inside /api/v1). If they match, and the RESTPublicAPI syspref is off, then an exception is thrown, rendering a 403 error to the consumer. Otherwise the routes are processed as usual. This is THE on/off switch for the public REST API. The target use case: people not wanting an OPAC or public interaction with the API besides privileged users. In order to test, the rest of the patches are needed because the only way to test a route is having it in the spec. To test: - Apply the patches - Run: $ kshell k$ prove t/db_dependent/api/v1/auth.t => SUCCESS: tests pass! - Sign off :-D Signed-off-by: Josef Moravec Signed-off-by: Kyle M Hall Signed-off-by: Nick Clemens --- Koha/REST/V1/Auth.pm | 14 ++++++++++++++ t/db_dependent/api/v1/auth.t | 17 ++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index a8b548f4a4..763262ef89 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -55,8 +55,19 @@ sub under { my $c = shift->openapi->valid_input or return;; my $status = 0; + try { + # /api/v1/{namespace} + my $namespace = $c->req->url->to_abs->path->[2]; + + if ( $namespace eq 'public' + and !C4::Context->preference('RESTPublicAPI') ) + { + Koha::Exceptions::Authorization->throw( + "Configuration prevents the usage of this endpoint by unprivileged users"); + } + $status = authenticate_api_request($c); } catch { @@ -87,6 +98,9 @@ sub under { required_permissions => $_->required_permissions, }); } + elsif ($_->isa('Koha::Exceptions::Authorization')) { + return $c->render(status => 403, json => { error => $_->error }); + } elsif ($_->isa('Koha::Exceptions')) { return $c->render(status => 500, json => { error => $_->error }); } diff --git a/t/db_dependent/api/v1/auth.t b/t/db_dependent/api/v1/auth.t index 447028c060..4f47227886 100644 --- a/t/db_dependent/api/v1/auth.t +++ b/t/db_dependent/api/v1/auth.t @@ -39,12 +39,27 @@ my $t = Test::Mojo->new('Koha::REST::V1'); my $tx; subtest 'under() tests' => sub { - plan tests => 15; + + plan tests => 20; $schema->storage->txn_begin; my ($borrowernumber, $session_id) = create_user_and_session(); + # disable the /public namespace + t::lib::Mocks::mock_preference( 'RESTPublicAPI', 0 ); + $tx = $t->ua->build_tx( POST => "/api/v1/public/patrons/$borrowernumber/password" ); + $tx->req->env( { REMOTE_ADDR => $remote_address } ); + $t->request_ok($tx) + ->status_is(403) + ->json_is('/error', 'Configuration prevents the usage of this endpoint by unprivileged users'); + + # enable the /public namespace + t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 ); + $tx = $t->ua->build_tx( GET => "/api/v1/public/patrons/$borrowernumber/password" ); + $tx->req->env( { REMOTE_ADDR => $remote_address } ); + $t->request_ok($tx)->status_is(404); + # 401 (no authentication) $tx = $t->ua->build_tx( GET => "/api/v1/patrons" ); $tx->req->env( { REMOTE_ADDR => $remote_address } ); -- 2.39.5