From 6d1b7ca3a05466d5b6307e112adcb94c311f668b Mon Sep 17 00:00:00 2001
From: Tomas Cohen Arazi <tomascohen@theke.io>
Date: Tue, 20 Apr 2021 14:23:36 -0300
Subject: [PATCH] Bug 28157: Add handling for the x-koha-library header

This patch introduces a new header handling. The key idea is that on
Koha's base classes there's broad usage of C4::Context->userenv to
determine the current library and make decisions based on that.

API requests, on the other hand, might not be tied to sessions
(stateless) which is the way current library is retrieved. So we need a
way to properly specify what library the request is trying to act as
coming from.

To test:
1. Apply this patchset
2. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> SUCCESS: Tests pass!
3- Sign off :-D

Signed-off-by: David Nind <david@davidnind.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 Koha/REST/V1/Auth.pm | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index a28fb5920c..3b5ab4c9a2 100644
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -28,6 +28,7 @@ use Koha::ApiKeys;
 use Koha::Account::Lines;
 use Koha::Checkouts;
 use Koha::Holds;
+use Koha::Libraries;
 use Koha::OAuth;
 use Koha::OAuthAccessTokens;
 use Koha::Old::Checkouts;
@@ -310,7 +311,6 @@ sub validate_query_parameters {
     ) if @errors;
 }
 
-
 =head3 allow_owner
 
 Allows access to object for its owner.
@@ -500,19 +500,30 @@ Internal method that sets C4::Context->userenv
 sub _set_userenv {
     my ( $c, $patron ) = @_;
 
-    my $library = $patron->library;
+    my $passed_library_id = $c->req->headers->header('x-koha-library');
+    my $THE_library;
+
+    if ( $passed_library_id ) {
+        $THE_library = Koha::Libraries->find( $passed_library_id );
+        Koha::Exceptions::Authorization::Unauthorized->throw(
+            "Unauthorized attempt to set library to $passed_library_id"
+        ) unless $THE_library and $patron->can_log_into($THE_library);
+    }
+    else {
+        $THE_library = $patron->library;
+    }
 
     C4::Context->_new_userenv( $patron->borrowernumber );
     C4::Context->set_userenv(
-        $patron->borrowernumber, # number,
-        $patron->userid,         # userid,
-        $patron->cardnumber,     # cardnumber
-        $patron->firstname,      # firstname
-        $patron->surname,        # surname
-        $library->branchcode,    # branch
-        $library->branchname,    # branchname
-        $patron->flags,          # flags,
-        $patron->email,          # emailaddress
+        $patron->borrowernumber,  # number,
+        $patron->userid,          # userid,
+        $patron->cardnumber,      # cardnumber
+        $patron->firstname,       # firstname
+        $patron->surname,         # surname
+        $THE_library->branchcode, # branch
+        $THE_library->branchname, # branchname
+        $patron->flags,           # flags,
+        $patron->email,           # emailaddress
     );
 
     return $c;
-- 
2.20.1