From 985265c0be182342374f50d95493ec3d50bdd5e0 Mon Sep 17 00:00:00 2001
From: Lari Taskula <larit@student.uef.fi>
Date: Tue, 23 Aug 2016 15:38:44 +0300
Subject: [PATCH] Bug 14868: Display required permissions in permission error
 response

When user does not have required permissions to use API operation, it would be
useful to let them know which permissions he is missing. Since they are now
defined in Swagger, we can easily render them into the response.

To test:
1. Use a patron without any permissions
2. Make GET request to http://yourlib/api/v1/patrons
3. Observe permission error and see that required_permissions are displayed.
4. Run t/db_dependent/api/v1/patrons.t

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 Koha/REST/V1.pm                 | 3 ++-
 t/db_dependent/api/v1/patrons.t | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Koha/REST/V1.pm b/Koha/REST/V1.pm
index 4cb623684c..03342d4e2f 100644
--- a/Koha/REST/V1.pm
+++ b/Koha/REST/V1.pm
@@ -87,7 +87,8 @@ sub authenticate_api_request {
     my $permissions = $authorization->{'permissions'};
     return $next->($c) if C4::Auth::haspermission($user->userid, $permissions);
     return $c->render_swagger(
-        { error => "Authorization failure. Missing required permission(s)." },
+        { error => "Authorization failure. Missing required permission(s).",
+          required_permissions => $permissions },
         {},
         403
     );
diff --git a/t/db_dependent/api/v1/patrons.t b/t/db_dependent/api/v1/patrons.t
index 6286234b63..f4b9410712 100644
--- a/t/db_dependent/api/v1/patrons.t
+++ b/t/db_dependent/api/v1/patrons.t
@@ -17,7 +17,7 @@
 
 use Modern::Perl;
 
-use Test::More tests => 19;
+use Test::More tests => 20;
 use Test::Mojo;
 use t::lib::TestBuilder;
 
@@ -84,7 +84,8 @@ $t->request_ok($tx)
 $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . ($borrower->{ borrowernumber }-1));
 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 $t->request_ok($tx)
-  ->status_is(403);
+  ->status_is(403)
+  ->json_is('/required_permissions', {"borrowers" => "1"});
 
 # User without permissions, but is the owner of the object
 $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{borrowernumber});
-- 
2.39.2