https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522 José-Mario Monteiro-Santos <jose-mario.monteiro-santos@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #86756|Bug 22522 - Update API |Fix for newer description|specs' access in Auth.pm |Mojolicious/OpenAPI | |versions --- Comment #4 from José-Mario Monteiro-Santos <jose-mario.monteiro-santos@inlibro.com> --- Comment on attachment 86756 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=86756 Fix for newer Mojolicious/OpenAPI versions
From 9398e9ce1ddb545b031c4accad4148f743eddadd Mon Sep 17 00:00:00 2001 From: Jose-Mario Monteiro-Santos <jose-mario.monteiro-santos@inLibro.com> Date: Tue, 19 Mar 2019 11:55:45 -0400 Subject: [PATCH] Bug 22522 - Update API specs' access in Auth.pm
With newer versions of Mojolicious and its plugins, endpoints' specs could no longer be accessed, thus bypassing authorization checks and failing to validate query parameters.
Test plan: 1. Without being logged in to Koha, access an endpoint directly (such as /api/v1/patrons/{patron_id}) 2. Notice results are received (which is bad since we're not authenticated) 3. Try again with an endpoint that accepts query parameters (such as /api/v1/patrons?firstname=something) 4. Notice that the query is not accepted (even with correct parameters)
5. Apply the patch
6. Repeat step 1 7. Notice that the access is denied 8. Login as a user with proper access rights 9. Repeat step 1 10. Notice that you can now get results 11. Repeat step 3 12. Notice that the query is now accepted 13. Repeat step 3 but with an absurd parameter 14. Notice the query is correctly rejected
15. Ideally, check if other API calls were not broken --- Koha/REST/V1/Auth.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm index 53c6bac..d0ecd13 100644 --- a/Koha/REST/V1/Auth.pm +++ b/Koha/REST/V1/Auth.pm @@ -130,7 +130,7 @@ sub authenticate_api_request {
my $user;
- my $spec = $c->match->endpoint->pattern->defaults->{'openapi.op_spec'}; + my $spec = $c->openapi->spec; my $authorization = $spec->{'x-koha-authorization'};
my $authorization_header = $c->req->headers->authorization; -- 2.7.4
-- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.