[Koha-bugs] [Bug 29523] Add a way to prevent embedding objects that should not be allowed
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Nov 19 17:26:20 CET 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
--- Comment #4 from Tomás Cohen Arazi <tomascohen at gmail.com> ---
Created attachment 127889
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=127889&action=edit
Bug 29523: Make Koha::Object->to_api respect accessibility
This patch makes the *to_api* method honour the accessibility check for
the object. This is relevant in the context of embedding single objects.
The Koha::Patron->to_api method is adjusted to reflect this behavior as
well (it does some manipulation after the ->to_api call and we need to
prevent it).
To test:
1. Apply up to the regression tests
2. Run:
$ kshell
k$ prove t/db_dependent/Koha/Object.t
=> FAIL: A patron, that shouldn't be accessed, is returned by ->to_api
3. Apply this patch
4. Repeat 2
=> SUCCESS: Tests pass!
6. Pick Henry Acevedo from the sample data, assign him 'catalogue'
permissions and a know user/password combination
7. Enable basic authentication
8. Point your favourite tool (Postman?) to
GET http://kohadev-intra.myDNSname.org:8081/api/v1/biblio/245/checkouts
Set the following header: x-koha-embed: patron
Pick whatever biblio you want, actually.
=> SUCCESS: No checkouts
9. Perform a couple checkouts on the chosen biblio. Make sure one
checkout is for a patron on the same library as Henry, and the other
on a different one.
10. Repeat 8
=> SUCCESS: You see two checkouts. One of them has an attribute 'patron'
containing the patron from Henry's library. The other, has the
attribute set to 'null'.
11. Sign off :-D
Signed-off-by: Tomas Cohen Arazi <tomascohen at theke.io>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list