Bug 22227: Make GET /cities staff only

This patch removes the possibility to access the city objects without
privileged access (minimum permissions == catalogue).

It does so by adding the required permissions to the spec. The tests are
adjusted.

To test:
- Apply this patch
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/cities.t
=> SUCCESS: Tests pass!
- Sign off :-D

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/api/v1/swagger/paths/cities.json b/api/v1/swagger/paths/cities.json
index 96bbe55..5779a48 100644 (file)
--- a/api/v1/swagger/paths/cities.json
+++ b/api/v1/swagger/paths/cities.json
@@ -60,6 +60,11 @@
             "$ref": "../definitions.json#/error"
           }
         }
+      },
+      "x-koha-authorization": {
+        "permissions": {
+            "catalogue": "1"
+        }
       }
     },
     "post": {
@@ -153,6 +158,11 @@
             "$ref": "../definitions.json#/error"
           }
         }
+      },
+      "x-koha-authorization": {
+        "permissions": {
+            "catalogue": "1"
+        }
       }
     },
     "put": {

diff --git a/t/db_dependent/api/v1/cities.t b/t/db_dependent/api/v1/cities.t
index 765fdb7..ba64c29 100644 (file)
--- a/t/db_dependent/api/v1/cities.t
+++ b/t/db_dependent/api/v1/cities.t
@@ -45,8 +45,7 @@ subtest 'list() tests' => sub {
     $schema->storage->txn_begin;
 
     Koha::Cities->search->delete;
-    my ( $borrowernumber, $session_id ) =
-      create_user_and_session( { authorized => 0 } );
+    my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
 
     ## Authorized user tests
     # No cities, so empty array should be returned
@@ -116,7 +115,7 @@ subtest 'get() tests' => sub {
     $schema->storage->txn_begin;
 
     my $city = $builder->build_object({ class => 'Koha::Cities' });
-    my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 0 });
+    my ( $borrowernumber, $session_id ) = create_user_and_session({ authorized => 1 });
 
     my $tx = $t->ua->build_tx( GET => "/api/v1/cities/" . $city->id );
     $tx->req->cookies({ name => 'CGISESSID', value => $session_id });