3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 use Test::More tests => 4;
22 use t::lib::TestBuilder;
34 my $builder = t::lib::TestBuilder->new();
36 my $dbh = C4::Context->dbh;
37 $dbh->{AutoCommit} = 0;
38 $dbh->{RaiseError} = 1;
40 $ENV{REMOTE_ADDR} = '127.0.0.1';
41 my $t = Test::Mojo->new('Koha::REST::V1');
44 my $categorycode = Koha::Database->new()->schema()->resultset('Category')->first()->categorycode();
45 my $branchcode = Koha::Database->new()->schema()->resultset('Branch')->first()->branchcode();
47 # User without any permissions
48 my $nopermission = $builder->build({
51 branchcode => $branchcode,
52 categorycode => $categorycode,
56 my $session_nopermission = C4::Auth::get_session('');
57 $session_nopermission->param('number', $nopermission->{ borrowernumber });
58 $session_nopermission->param('id', $nopermission->{ userid });
59 $session_nopermission->param('ip', '127.0.0.1');
60 $session_nopermission->param('lasttime', time());
61 $session_nopermission->flush;
63 my $borrower = Koha::Patron->new;
64 $borrower->categorycode( $categorycode );
65 $borrower->branchcode( $branchcode );
66 $borrower->surname("Test Surname");
67 $borrower->flags(80); #borrowers and reserveforothers flags
68 $borrower->userid($nopermission->{ userid }."z");
70 my $borrowernumber = $borrower->borrowernumber;
72 my $borrower2 = Koha::Patron->new;
73 $borrower2->categorycode( $categorycode );
74 $borrower2->branchcode( $branchcode );
75 $borrower2->surname("Test Surname 2");
76 $borrower2->userid($nopermission->{ userid }."x");
77 $borrower2->flags(16); # borrowers flag
79 my $borrowernumber2 = $borrower2->borrowernumber;
81 my $borrower3 = Koha::Patron->new;
82 $borrower3->categorycode( $categorycode );
83 $borrower3->branchcode( $branchcode );
84 $borrower3->surname("Test Surname 2");
85 $borrower3->userid($nopermission->{ userid }."y");
86 $borrower3->flags(64); # reserveforothers flag
88 my $borrowernumber3 = $borrower3->borrowernumber;
91 my $session = C4::Auth::get_session('');
92 $session->param('number', $borrower->borrowernumber);
93 $session->param('id', $borrower->userid);
94 $session->param('ip', '127.0.0.1');
95 $session->param('lasttime', time());
97 my $session2 = C4::Auth::get_session('');
98 $session2->param('number', $borrower2->borrowernumber);
99 $session2->param('id', $borrower2->userid);
100 $session2->param('ip', '127.0.0.1');
101 $session2->param('lasttime', time());
103 my $session3 = C4::Auth::get_session('');
104 $session3->param('number', $borrower3->borrowernumber);
105 $session3->param('id', $borrower3->userid);
106 $session3->param('ip', '127.0.0.1');
107 $session3->param('lasttime', time());
110 my $biblionumber = create_biblio('RESTful Web APIs');
111 my $itemnumber = create_item($biblionumber, 'TEST000001');
113 $dbh->do('DELETE FROM reserves');
115 my $reserve_id = C4::Reserves::AddReserve($branchcode, $borrowernumber,
116 $biblionumber, undef, 1, undef, undef, undef, '', $itemnumber);
118 # Add another reserve to be able to change first reserve's rank
119 my $reserve_id2 = C4::Reserves::AddReserve($branchcode, $borrowernumber2,
120 $biblionumber, undef, 2, undef, undef, undef, '', $itemnumber);
122 my $suspend_until = DateTime->now->add(days => 10)->ymd;
123 my $expirationdate = DateTime->now->add(days => 10)->ymd;
126 borrowernumber => int($borrowernumber),
127 biblionumber => int($biblionumber),
128 itemnumber => int($itemnumber),
129 branchcode => $branchcode,
130 expirationdate => $expirationdate,
134 suspend_until => $suspend_until,
137 subtest "Test endpoints without authentication" => sub {
139 $t->get_ok('/api/v1/holds')
141 $t->post_ok('/api/v1/holds')
143 $t->put_ok('/api/v1/holds/0')
145 $t->delete_ok('/api/v1/holds/0')
150 subtest "Test endpoints without permission" => sub {
153 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
154 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
155 $t->request_ok($tx) # no permission
157 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
158 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
159 $t->request_ok($tx) # reserveforothers permission
161 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data );
162 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
163 $t->request_ok($tx) # no permission
165 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/0" => json => $put_data );
166 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
167 $t->request_ok($tx) # no permission
169 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/0");
170 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
171 $t->request_ok($tx) # no permission
174 subtest "Test endpoints without permission, but accessing own object" => sub {
177 my $borrno_tmp = $post_data->{'borrowernumber'};
178 $post_data->{'borrowernumber'} = int $nopermission->{'borrowernumber'};
179 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
180 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
181 $t->request_ok($tx) # create hold to myself
183 ->json_has('/reserve_id');
185 $post_data->{'borrowernumber'} = $borrno_tmp;
186 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$nopermission-> { borrowernumber });
187 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
188 $t->request_ok($tx) # get my own holds
190 ->json_is('/0/borrowernumber', $nopermission->{ borrowernumber })
191 ->json_is('/0/biblionumber', $biblionumber)
192 ->json_is('/0/itemnumber', $itemnumber)
193 ->json_is('/0/expirationdate', $expirationdate)
194 ->json_is('/0/branchcode', $branchcode);
196 my $reserve_id3 = Koha::Holds->find({ borrowernumber => $nopermission->{borrowernumber} })->reserve_id;
197 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id3" => json => $put_data);
198 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
199 $t->request_ok($tx) # create hold to myself
201 ->json_is('/reserve_id', $reserve_id3)
202 ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
203 ->json_is('/priority', 2);
206 subtest "Test endpoints with permission" => sub {
209 $tx = $t->ua->build_tx(GET => '/api/v1/holds');
210 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
218 $tx = $t->ua->build_tx(GET => '/api/v1/holds?priority=2');
219 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
222 ->json_is('/0/borrowernumber', $nopermission->{borrowernumber})
225 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
226 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
229 ->json_is('/reserve_id', $reserve_id)
230 ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
231 ->json_is('/priority', 2);
233 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
234 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
238 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
239 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
242 ->json_has('/error');
244 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
245 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
248 ->json_has('/error');
250 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$borrower->borrowernumber);
251 $tx->req->cookies({name => 'CGISESSID', value => $session2->id}); # get with borrowers flag
256 my $inexisting_borrowernumber = $borrowernumber2*2;
257 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
258 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
263 $dbh->do('DELETE FROM issuingrules');
265 INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
267 }, {}, '*', '*', '*', 1);
269 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id2");
270 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
274 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
275 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
278 ->json_has('/reserve_id');
279 $reserve_id = $t->tx->res->json->{reserve_id};
281 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
282 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
285 ->json_is('/0/reserve_id', $reserve_id)
286 ->json_is('/0/expirationdate', $expirationdate)
287 ->json_is('/0/branchcode', $branchcode);
289 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
290 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
293 ->json_like('/error', qr/tooManyReserves/);
302 my $record = new MARC::Record;
303 $record->append_fields(
304 new MARC::Field('200', ' ', ' ', a => $title),
307 my ($biblionumber) = C4::Biblio::AddBiblio($record, '');
309 return $biblionumber;
313 my ($biblionumber, $barcode) = @_;
318 $dbh->do("DELETE FROM items WHERE barcode='$barcode'") if $barcode;
320 my $itemnumber = C4::Items::AddItem($item, $biblionumber);