Bug 24862: Regression tests

This patch introduces tests for the expected behaviour on API routes
that expect a logged in user, but the request is made with an anonymous
session cookie.

To test:
1. Apply this patch
2. Run:
   $ kshell
  k$ prove t/db_dependent/api/v1/auth_authenticate_api_request.t
=> FAIL: Tests fail because the situation is not handled correctly in
the code

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: David Nind <david@davidnind.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 0547ad34dfe01ca7d7660df59e29bc30fdf3cf1d)

Signed-off-by: Aleisha Amohia <aleishaamohia@hotmail.com>

(cherry picked from commit 8d2255bddcdfad75d8b40daf47bb24c0fd13a9ed)
Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

diff --git a/t/db_dependent/api/v1/auth_authenticate_api_request.t b/t/db_dependent/api/v1/auth_authenticate_api_request.t
index 8583125..d5fbb74 100755 (executable)
--- a/t/db_dependent/api/v1/auth_authenticate_api_request.t
+++ b/t/db_dependent/api/v1/auth_authenticate_api_request.t
@@ -97,7 +97,7 @@ subtest 'token-based tests' => sub {
 
 subtest 'cookie-based tests' => sub {
 
-    plan tests => 5;
+    plan tests => 6;
 
     $schema->storage->txn_begin;
 
@@ -116,6 +116,25 @@ subtest 'cookie-based tests' => sub {
     is( ref($user), 'Koha::Patron', 'Stashed koha.user object type is Koha::Patron') and
     is( $user->borrowernumber, $borrowernumber, 'The stashed user is the right one' );
 
+    subtest 'logged-out tests' => sub {
+        plan tests => 3;
+
+        # Generate an anonymous session
+        my $session = C4::Auth::get_session('');
+        $session->param( 'ip',          $remote_address );
+        $session->param( 'lasttime',    time() );
+        $session->param( 'sessiontype', 'anon' );
+        $session->flush;
+
+        my $tx = $t->ua->build_tx( GET => '/api/v1/libraries' );
+        $tx->req->cookies({ name => 'CGISESSID', value => $session->id });
+        $tx->req->env({ REMOTE_ADDR => $remote_address });
+
+        $t->request_ok($tx)
+          ->status_is( 401, 'Anonymous session on permission protected resource returns 401' )
+          ->json_is( { error => 'Authentication failure.' } );
+    };
+
     $schema->storage->txn_rollback;
 };