From e0de8364b7c197cd3bd1b70f93766ecc6da11216 Mon Sep 17 00:00:00 2001 From: Tomas Cohen Arazi Date: Thu, 7 Oct 2021 14:51:51 -0300 Subject: [PATCH] Bug 28948: Remove FIXME This patch reproduces what we did for `to_api_mapping`: make it always present on Koha::Object classes. This has the side-effect of... making things more secure! Before this patch, if undefined, all attributes were returned. Signed-off-by: Tomas Cohen Arazi Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart --- Koha/Object.pm | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/Koha/Object.pm b/Koha/Object.pm index b6ffc412de..5d0f3f720f 100644 --- a/Koha/Object.pm +++ b/Koha/Object.pm @@ -554,12 +554,9 @@ sub to_api { my $json_object = $self->TO_JSON; # Remove forbidden attributes if required - # FIXME: We should eventually require public_read_list in all objects and drop the conditional here. - if ( $params->{public} - and $self->can('public_read_list') ) - { + if ( $params->{public} ) { for my $field ( keys %{$json_object} ) { - delete $json_object->{$field} unless any { $_ eq $field } @{$self->public_read_list}; + delete $json_object->{$field} unless any { $_ eq $field } @{ $self->public_read_list }; } } @@ -649,6 +646,24 @@ sub to_api_mapping { return {}; } +=head3 public_read_list + + + my @public_read_list = @{$object->public_read_list}; + +Generic method that returns the list of database columns that are allowed to +be passed to render objects on the public API. + +Note: this only returns an empty I. Each class should have its +own implementation. + +=cut + +sub public_read_list + { + return []; +} + =head3 from_api_mapping my $mapping = $object->from_api_mapping; -- 2.39.5