[Koha-bugs] [Bug 22522] API authentication breaks with updated Mojolicious version
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 19 18:51:47 CET 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522
--- Comment #3 from José-Mario Monteiro-Santos <jose-mario.monteiro-santos at inlibro.com> ---
Created attachment 86756
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=86756&action=edit
Bug 22522 - Update API specs' access in Auth.pm
With newer versions of Mojolicious and its plugins, endpoints' specs
could no longer be accessed, thus bypassing authorization checks
and failing to validate query parameters.
Test plan:
1. Without being logged in to Koha, access an endpoint directly
(such as /api/v1/patrons/{patron_id})
2. Notice results are received (which is bad since we're not authenticated)
3. Try again with an endpoint that accepts query parameters
(such as /api/v1/patrons?firstname=something)
4. Notice that the query is not accepted (even with correct parameters)
5. Apply the patch
6. Repeat step 1
7. Notice that the access is denied
8. Login as a user with proper access rights
9. Repeat step 1
10. Notice that you can now get results
11. Repeat step 3
12. Notice that the query is now accepted
13. Repeat step 3 but with an absurd parameter
14. Notice the query is correctly rejected
15. Ideally, check if other API calls were not broken
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list