[Koha-bugs] [Bug 35747] New: Some PUT endpoints wipe data if embeds are missing from the payload

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Tue Jan 9 18:13:45 CET 2024 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35747

            Bug ID: 35747
           Summary: Some PUT endpoints wipe data if embeds are missing
                    from the payload
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: REST API
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: pedro.amorim at ptfs-europe.com
                CC: jonathan.druart+koha at gmail.com,
                    martin.renvoize at ptfs-europe.com, tomascohen at gmail.com

To reproduce:
0) Enable RESTBasicAuth syspref
1) Add a new license, visit:
    /cgi-bin/koha/erm/licenses/add
2) Fill in mandatory fields, click "Add document" and upload a file. 
3) Click 'Submit'
4) Edit the license, visit:
    /cgi-bin/koha/erm/licenses/edit/1
5) Pretend you're a third-party app wanting to update name and description of
the license. Run the following curl:
curl -u "koha:koha" -X PUT \
  'http://localhost:8081/api/v1/erm/licenses/1' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.com)' \
  --header 'Content-Type: application/json' \
  --data-raw
'{"description":"testing","name":"testing","status":"not_yet_active","type":"consortial"}'
6) Check the license again, visit:
    /cgi-bin/koha/erm/licenses/edit/1
7) Notice the file you uploaded in 2) has been wiped.

This PUT request is missing the documents property, so Koha will wipe all
documents related to that license. Same happens for users (property
'user_roles').
Same happens if the property is sent empty.
I believe this is by design, as the Koha form will always be pre-populated with
any existing data thus not wiping anything unintendedly.
I understand this is how PUT is supposed to work, and that this should be a
PATCH instead, but we're currently not supporting PATCH endpoints (?).
What is the best approach here, support PATCH or change the logic behind the
PUT endpoint? Other?

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.

More information about the Koha-bugs mailing list