Bug 14868: Display required permissions in permission error response

When user does not have required permissions to use API operation, it would be
useful to let them know which permissions he is missing. Since they are now
defined in Swagger, we can easily render them into the response.

To test:
1. Use a patron without any permissions
2. Make GET request to http://yourlib/api/v1/patrons
3. Observe permission error and see that required_permissions are displayed.
4. Run t/db_dependent/api/v1/patrons.t

Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

diff --git a/Koha/REST/V1.pm b/Koha/REST/V1.pm
index 4cb6236..03342d4 100644 (file)
--- a/Koha/REST/V1.pm
+++ b/Koha/REST/V1.pm
@@ -87,7 +87,8 @@ sub authenticate_api_request {
     my $permissions = $authorization->{'permissions'};
     return $next->($c) if C4::Auth::haspermission($user->userid, $permissions);
     return $c->render_swagger(
-        { error => "Authorization failure. Missing required permission(s)." },
+        { error => "Authorization failure. Missing required permission(s).",
+          required_permissions => $permissions },
         {},
         403
     );

diff --git a/t/db_dependent/api/v1/patrons.t b/t/db_dependent/api/v1/patrons.t
index 6286234..f4b9410 100644 (file)
--- a/t/db_dependent/api/v1/patrons.t
+++ b/t/db_dependent/api/v1/patrons.t
@@ -17,7 +17,7 @@
 
 use Modern::Perl;
 
-use Test::More tests => 19;
+use Test::More tests => 20;
 use Test::Mojo;
 use t::lib::TestBuilder;
 
@@ -84,7 +84,8 @@ $t->request_ok($tx)
 $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . ($borrower->{ borrowernumber }-1));
 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 $t->request_ok($tx)
-  ->status_is(403);
+  ->status_is(403)
+  ->json_is('/required_permissions', {"borrowers" => "1"});
 
 # User without permissions, but is the owner of the object
 $tx = $t->ua->build_tx(GET => "/api/v1/patrons/" . $borrower->{borrowernumber});