https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17445 --- Comment #8 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- (In reply to Jonathan Druart from comment #6)
Created attachment 56547 [details] [review] Bug 17445: Move the params check after the authentication check
If the user is not authorised to call this route, we would prefer to raise a 403 instead of 400
Note that we wanted to submit tests for this change but the city code does not let use do that (we are allowed to list/show cities even without any permissions). The patrons.t is not complete enought and the holds.t tests do not pass...
Tomas plans to submit tests but we reach the end of the hackfest ;)
Also agree with this change.. it didn't even occur to me to think about error code presidency in this case.. Generically I think you tend to just work backwards down the error codes, so your checking for a 403 failure before a more generic 400 is perfect in this case. Good spot! :) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.