When user does not have required permissions to use API operation, it would be
useful to let them know which permissions he is missing. Since they are now
defined in Swagger, we can easily render them into the response.
To test:
1. Use a patron without any permissions
2. Make GET request to http://yourlib/api/v1/patrons
3. Observe permission error and see that required_permissions are displayed.
4. Run t/db_dependent/api/v1/patrons.t
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
my $permissions = $authorization->{'permissions'};
return $next->($c) if C4::Auth::haspermission($user->userid, $permissions);
return $c->render_swagger(
- { error => "Authorization failure. Missing required permission(s)." },
+ { error => "Authorization failure. Missing required permission(s).",
+ required_permissions => $permissions },
{},
403
);
use Modern::Perl;
-use Test::More tests => 19;
+use Test::More tests => 20;
use Test::Mojo;
use t::lib::TestBuilder;
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . ($borrower->{ borrowernumber }-1));
$tx->req->cookies({name => 'CGISESSID', value => $session->id});
$t->request_ok($tx)
- ->status_is(403);
+ ->status_is(403)
+ ->json_is('/required_permissions', {"borrowers" => "1"});
# User without permissions, but is the owner of the object
$tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{borrowernumber});