From a5f3815c65c8aaa7d1f7641d4cf8550011729fe1 Mon Sep 17 00:00:00 2001
From: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Date: Tue, 12 Sep 2023 10:25:36 +0100
Subject: [PATCH] Bug 34287: Add check on public availability endpoint

A quick check for patron equals current user in the public availability
endpoint.

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
---
 api/v1/swagger/paths/checkouts.yaml | 2 ++
 t/db_dependent/api/v1/checkouts.t   | 5 ++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/v1/swagger/paths/checkouts.yaml b/api/v1/swagger/paths/checkouts.yaml
index cd07123aff..f38c1e25e6 100644
--- a/api/v1/swagger/paths/checkouts.yaml
+++ b/api/v1/swagger/paths/checkouts.yaml
@@ -411,3 +411,5 @@
         description: Under maintenance
         schema:
           $ref: "../swagger.yaml#/definitions/error"
+    x-koha-authorization:
+      allow-owner: true
diff --git a/t/db_dependent/api/v1/checkouts.t b/t/db_dependent/api/v1/checkouts.t
index d97c9a9ae6..8c16f1f88e 100755
--- a/t/db_dependent/api/v1/checkouts.t
+++ b/t/db_dependent/api/v1/checkouts.t
@@ -342,9 +342,8 @@ subtest 'get_availability' => sub {
         $t->get_ok("/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")->status_is(401);
 
         # Only allow availability lookup for self
-        $t->get_ok(
-            "//$userid:$password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id"
-        )->status_is(403);
+        $t->get_ok("//$userid:$password@/api/v1/public/checkouts/availability?item_id=$item1_id&patron_id=$patron_id")
+            ->status_is(403);
 
         # All ok
         $t->get_ok(
-- 
2.39.5