From ec99043a2ede2f994dae72ee2f68884174f94d4c Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Mon, 13 Apr 2020 11:40:48 -0300 Subject: [PATCH] Bug 25045: Allow restricting anonymous requests on the public API This patch introduces a check on the authenticate_api_request method for the RESTPublicAnonymousRequests system preference. If disabled, anonymous requests get rejected. The idea is to replicate the homologous OpacPublic system preference behaviour. To test: 1. Apply the Unit tests patch 2. Run: $ kshell k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t => FAIL: Tests fail, 200 is answered instead of 401 on the route. 3. Apply this patch 4. Repeat 2. => SUCCESS: Tests pass! 5. Sign off :-D Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart Signed-off-by: Martin Renvoize --- Koha/REST/V1/Auth.pm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 07792d7c94..884fd99ee0 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -63,8 +63,9 @@ sub under { # /api/v1/{namespace} my $namespace = $c->req->url->to_abs->path->[2] // ''; + my $is_public = ($namespace eq 'public') ? 1 : 0; - if ( $namespace eq 'public' + if ( $is_public and !C4::Context->preference('RESTPublicAPI') ) { Koha::Exceptions::Authorization->throw( @@ -76,7 +77,7 @@ sub under { $status = 1; } else { - $status = authenticate_api_request($c); + $status = authenticate_api_request($c, { is_public => $is_public }); } } catch { @@ -132,7 +133,7 @@ if authorization is required and user has required permissions to access. =cut sub authenticate_api_request { - my ( $c ) = @_; + my ( $c, $params ) = @_; my $user; @@ -235,7 +236,10 @@ sub authenticate_api_request { $c->stash('koha.user' => $user); - if ( !$authorization ) { + if ( !$authorization and + ( $params->{is_public} and + ( C4::Context->preference('RESTPublicAnonymousRequests') or + $user) ) ) { # We do not need any authorization # Check the parameters validate_query_parameters( $c, $spec ); -- 2.39.5