Bug 22216: Make GET /patrons/{patron_id} staff only

This patch removes the possibility to access the patron object
identified by patron_id by the patron itself, or a guarantor.

It does so by removing the permissions from the spec. The tests are
adjusted to remove that use case.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/patrons.t
=> SUCCESS: Tests pass!
- Sign off :-D

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/api/v1/swagger/paths/patrons.json b/api/v1/swagger/paths/patrons.json
index 4a710d6..27bd08f 100644 (file)
--- a/api/v1/swagger/paths/patrons.json
+++ b/api/v1/swagger/paths/patrons.json
@@ -571,8 +571,6 @@
         }
       },
       "x-koha-authorization": {
-        "allow-owner": true,
-        "allow-guarantor": true,
         "permissions": {
           "borrowers": "edit_borrowers"
         }

diff --git a/t/db_dependent/api/v1/patrons.t b/t/db_dependent/api/v1/patrons.t
index 8b28d77..6e0b557 100644 (file)
--- a/t/db_dependent/api/v1/patrons.t
+++ b/t/db_dependent/api/v1/patrons.t
@@ -94,43 +94,12 @@ subtest 'list() tests' => sub {
 };
 
 subtest 'get() tests' => sub {
-    plan tests => 3;
+    plan tests => 2;
 
     $schema->storage->txn_begin;
     unauthorized_access_tests('GET', -1, undef);
     $schema->storage->txn_rollback;
 
-    subtest 'access own object tests' => sub {
-        plan tests => 4;
-
-        $schema->storage->txn_begin;
-
-        my ( $patron_id, $session_id ) = create_user_and_session({ authorized => 0 });
-
-        # Access patron's own data even though they have no borrowers flag
-        my $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $patron_id);
-        $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
-        $tx->req->env({ REMOTE_ADDR => '127.0.0.1' });
-        $t->request_ok($tx)
-          ->status_is(200);
-
-        my $guarantee = $builder->build_object({
-            class => 'Koha::Patrons',
-            value => {
-                guarantorid => $patron_id,
-            }
-        });
-
-        # Access guarantee's data even though guarantor has no borrowers flag
-        $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $guarantee->id );
-        $tx->req->cookies({ name => 'CGISESSID', value => $session_id });
-        $tx->req->env({ REMOTE_ADDR => '127.0.0.1' });
-        $t->request_ok($tx)
-          ->status_is(200);
-
-        $schema->storage->txn_rollback;
-    };
-
     subtest 'librarian access tests' => sub {
         plan tests => 6;