From aac6a2f15569885b56ccc85a1b6405a547dbb912 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Fri, 23 Sep 2022 09:37:46 +0000 Subject: [PATCH] Bug 30982: (QA follow-up) No userenv, no jobs + # Assume permission if context has no user + my $can_manage_background_jobs = 1; => This felt a bit unsafe. Test plan: Try interface for jobs. Call API with cookie. Call API with OAuth. Run t/db_dependent/Koha/BackgroundJobs.t Signed-off-by: Marcel de Rooy Signed-off-by: Tomas Cohen Arazi --- Koha/BackgroundJobs.pm | 11 ++++------- t/db_dependent/Koha/BackgroundJobs.t | 20 +++++++++++++++++++- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/Koha/BackgroundJobs.pm b/Koha/BackgroundJobs.pm index 1d0506a0e7..48afbf68fa 100644 --- a/Koha/BackgroundJobs.pm +++ b/Koha/BackgroundJobs.pm @@ -40,9 +40,7 @@ Returns all background jobs the logged in user should be allowed to see sub search_limited { my ( $self, $params, $attributes ) = @_; - # Assume permission if context has no user - my $can_manage_background_jobs = 1; - + my $can_manage_background_jobs; my $logged_in_user; my $userenv = C4::Context->userenv; if ( $userenv and $userenv->{number} ) { @@ -51,10 +49,9 @@ sub search_limited { { parameters => 'manage_background_jobs' } ); } - return $can_manage_background_jobs - ? $self->search( $params, $attributes ) - : $self->search( { borrowernumber => $logged_in_user->borrowernumber } ) - ->search( $params, $attributes ); + return $self->search( $params, $attributes ) if $can_manage_background_jobs; + my $id = $logged_in_user ? $logged_in_user->borrowernumber : undef; + return $self->search({ borrowernumber => $id })->search( $params, $attributes ); } =head3 filter_by_current diff --git a/t/db_dependent/Koha/BackgroundJobs.t b/t/db_dependent/Koha/BackgroundJobs.t index 5d1dc1c58a..cfb9c28cc7 100755 --- a/t/db_dependent/Koha/BackgroundJobs.t +++ b/t/db_dependent/Koha/BackgroundJobs.t @@ -19,7 +19,7 @@ use Modern::Perl; -use Test::More tests => 13; +use Test::More tests => 14; use Test::MockModule; use List::MoreUtils qw(any); @@ -122,3 +122,21 @@ subtest 'filter_by_current() tests' => sub { $schema->storage->txn_rollback; }; + +subtest 'search_limited' => sub { + plan tests => 3; + + $schema->storage->txn_begin; + my $patron1 = $builder->build_object( { class => 'Koha::Patrons', value => { flags => 0 } } ); + my $patron2 = $builder->build_object( { class => 'Koha::Patrons', value => { flags => 0 } } ); + my $job1 = $builder->build_object( { class => 'Koha::BackgroundJobs', value => { borrowernumber => $patron1->id } } ); + + C4::Context->set_userenv( undef, q{} ); + is( Koha::BackgroundJobs->search_limited->count, 0, 'No jobs found without userenv' ); + C4::Context->set_userenv( $patron1->id, $patron1->userid ); + is( Koha::BackgroundJobs->search_limited->count, 1, 'My job found' ); + C4::Context->set_userenv( $patron2->id, $patron2->userid ); + is( Koha::BackgroundJobs->search_limited->count, 0, 'No jobs for me' ); + + $schema->storage->txn_rollback; +}; -- 2.39.5