t/db_dependent/api/v1/holds.t

   1 #!/usr/bin/env perl
   2
   3 # This file is part of Koha.
   4 #
   5 # Koha is free software; you can redistribute it and/or modify it under the
   6 # terms of the GNU General Public License as published by the Free Software
   7 # Foundation; either version 3 of the License, or (at your option) any later
   8 # version.
   9 #
  10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
  11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
  12 # A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License along
  15 # with Koha; if not, write to the Free Software Foundation, Inc.,
  16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  17
  18 use Modern::Perl;
  19
  20 use Test::More tests => 4;
  21 use Test::Mojo;
  22 use t::lib::TestBuilder;
  23
  24 use DateTime;
  25
  26 use C4::Context;
  27 use C4::Reserves;
  28
  29 use Koha::Database;
  30 use Koha::Biblios;
  31 use Koha::Items;
  32 use Koha::Patrons;
  33
  34 my $builder = t::lib::TestBuilder->new();
  35
  36 my $dbh = C4::Context->dbh;
  37 $dbh->{AutoCommit} = 0;
  38 $dbh->{RaiseError} = 1;
  39
  40 $ENV{REMOTE_ADDR} = '127.0.0.1';
  41 my $t = Test::Mojo->new('Koha::REST::V1');
  42 my $tx;
  43
  44 my $categorycode = $builder->build({ source => 'Category' })->{categorycode};
  45 my $branchcode = $builder->build({ source => 'Branch' })->{branchcode};
  46
  47 # User without any permissions
  48 my $nopermission = $builder->build({
  49     source => 'Borrower',
  50     value => {
  51         branchcode   => $branchcode,
  52         categorycode => $categorycode,
  53         flags        => 0
  54     }
  55 });
  56 my $session_nopermission = C4::Auth::get_session('');
  57 $session_nopermission->param('number', $nopermission->{ borrowernumber });
  58 $session_nopermission->param('id', $nopermission->{ userid });
  59 $session_nopermission->param('ip', '127.0.0.1');
  60 $session_nopermission->param('lasttime', time());
  61 $session_nopermission->flush;
  62
  63 my $borrower = Koha::Patron->new;
  64 $borrower->categorycode( $categorycode );
  65 $borrower->branchcode( $branchcode );
  66 $borrower->surname("Test Surname");
  67 $borrower->flags(80); #borrowers and reserveforothers flags
  68 $borrower->userid($nopermission->{ userid }."z");
  69 $borrower->store;
  70 my $borrowernumber = $borrower->borrowernumber;
  71
  72 my $borrower2 = Koha::Patron->new;
  73 $borrower2->categorycode( $categorycode );
  74 $borrower2->branchcode( $branchcode );
  75 $borrower2->surname("Test Surname 2");
  76 $borrower2->userid($nopermission->{ userid }."x");
  77 $borrower2->flags(16); # borrowers flag
  78 $borrower2->store;
  79 my $borrowernumber2 = $borrower2->borrowernumber;
  80
  81 my $borrower3 = Koha::Patron->new;
  82 $borrower3->categorycode( $categorycode );
  83 $borrower3->branchcode( $branchcode );
  84 $borrower3->surname("Test Surname 2");
  85 $borrower3->userid($nopermission->{ userid }."y");
  86 $borrower3->flags(64); # reserveforothers flag
  87 $borrower3->store;
  88 my $borrowernumber3 = $borrower3->borrowernumber;
  89
  90 # Get sessions
  91 my $session = C4::Auth::get_session('');
  92 $session->param('number', $borrower->borrowernumber);
  93 $session->param('id', $borrower->userid);
  94 $session->param('ip', '127.0.0.1');
  95 $session->param('lasttime', time());
  96 $session->flush;
  97 my $session2 = C4::Auth::get_session('');
  98 $session2->param('number', $borrower2->borrowernumber);
  99 $session2->param('id', $borrower2->userid);
 100 $session2->param('ip', '127.0.0.1');
 101 $session2->param('lasttime', time());
 102 $session2->flush;
 103 my $session3 = C4::Auth::get_session('');
 104 $session3->param('number', $borrower3->borrowernumber);
 105 $session3->param('id', $borrower3->userid);
 106 $session3->param('ip', '127.0.0.1');
 107 $session3->param('lasttime', time());
 108 $session3->flush;
 109
 110 my $biblionumber = create_biblio('RESTful Web APIs');
 111 my $itemnumber = create_item($biblionumber, 'TEST000001');
 112
 113 my $biblionumber2 = create_biblio('RESTful Web APIs');
 114 my $itemnumber2 = create_item($biblionumber2, 'TEST000002');
 115
 116 $dbh->do('DELETE FROM reserves');
 117 $dbh->do('DELETE FROM issuingrules');
 118     $dbh->do(q{
 119         INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
 120         VALUES (?, ?, ?, ?)
 121     }, {}, '*', '*', '*', 1);
 122
 123 my $reserve_id = C4::Reserves::AddReserve($branchcode, $borrowernumber,
 124     $biblionumber, undef, 1, undef, undef, undef, '', $itemnumber);
 125
 126 # Add another reserve to be able to change first reserve's rank
 127 my $reserve_id2 = C4::Reserves::AddReserve($branchcode, $borrowernumber2,
 128     $biblionumber, undef, 2, undef, undef, undef, '', $itemnumber);
 129
 130 my $suspend_until = DateTime->now->add(days => 10)->ymd;
 131 my $expirationdate = DateTime->now->add(days => 10)->ymd;
 132
 133 my $post_data = {
 134     borrowernumber => int($borrowernumber),
 135     biblionumber => int($biblionumber),
 136     itemnumber => int($itemnumber),
 137     branchcode => $branchcode,
 138     expirationdate => $expirationdate,
 139 };
 140 my $put_data = {
 141     priority => 2,
 142     suspend_until => $suspend_until,
 143 };
 144
 145 subtest "Test endpoints without authentication" => sub {
 146     plan tests => 8;
 147     $t->get_ok('/api/v1/holds')
 148       ->status_is(401);
 149     $t->post_ok('/api/v1/holds')
 150       ->status_is(401);
 151     $t->put_ok('/api/v1/holds/0')
 152       ->status_is(401);
 153     $t->delete_ok('/api/v1/holds/0')
 154       ->status_is(401);
 155 };
 156
 157
 158 subtest "Test endpoints without permission" => sub {
 159     plan tests => 10;
 160
 161     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
 162     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 163     $t->request_ok($tx) # no permission
 164       ->status_is(403);
 165     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
 166     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 167     $t->request_ok($tx) # reserveforothers permission
 168       ->status_is(403);
 169     $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data );
 170     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 171     $t->request_ok($tx) # no permission
 172       ->status_is(403);
 173     $tx = $t->ua->build_tx(PUT => "/api/v1/holds/0" => json => $put_data );
 174     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 175     $t->request_ok($tx) # no permission
 176       ->status_is(403);
 177     $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/0");
 178     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 179     $t->request_ok($tx) # no permission
 180       ->status_is(403);
 181 };
 182 subtest "Test endpoints without permission, but accessing own object" => sub {
 183     plan tests => 15;
 184
 185     my $borrno_tmp = $post_data->{'borrowernumber'};
 186     $post_data->{'borrowernumber'} = int $nopermission->{'borrowernumber'};
 187     $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
 188     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 189     $t->request_ok($tx) # create hold to myself
 190       ->status_is(201)
 191       ->json_has('/reserve_id');
 192
 193     $post_data->{'borrowernumber'} = $borrno_tmp;
 194     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$nopermission-> { borrowernumber });
 195     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 196     $t->request_ok($tx) # get my own holds
 197       ->status_is(200)
 198       ->json_is('/0/borrowernumber', $nopermission->{ borrowernumber })
 199       ->json_is('/0/biblionumber', $biblionumber)
 200       ->json_is('/0/itemnumber', $itemnumber)
 201       ->json_is('/0/expirationdate', $expirationdate)
 202       ->json_is('/0/branchcode', $branchcode);
 203
 204     my $reserve_id3 = Koha::Holds->find({ borrowernumber => $nopermission->{borrowernumber} })->reserve_id;
 205     $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id3" => json => $put_data);
 206     $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
 207     $t->request_ok($tx) # create hold to myself
 208       ->status_is(200)
 209       ->json_is('/reserve_id', $reserve_id3)
 210       ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
 211       ->json_is('/priority', 2);
 212 };
 213
 214 subtest "Test endpoints with permission" => sub {
 215     plan tests => 45;
 216
 217     $tx = $t->ua->build_tx(GET => '/api/v1/holds');
 218     $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 219     $t->request_ok($tx)
 220       ->status_is(200)
 221       ->json_has('/0')
 222       ->json_has('/1')
 223       ->json_has('/2')
 224       ->json_hasnt('/3');
 225
 226     $tx = $t->ua->build_tx(GET => '/api/v1/holds?priority=2');
 227     $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 228     $t->request_ok($tx)
 229       ->status_is(200)
 230       ->json_is('/0/borrowernumber', $nopermission->{borrowernumber})
 231       ->json_hasnt('/1');
 232
 233     $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
 234     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 235     $t->request_ok($tx)
 236       ->status_is(200)
 237       ->json_is('/reserve_id', $reserve_id)
 238       ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
 239       ->json_is('/priority', 2);
 240
 241     $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
 242     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 243     $t->request_ok($tx)
 244       ->status_is(200);
 245
 246     $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
 247     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 248     $t->request_ok($tx)
 249       ->status_is(404)
 250       ->json_has('/error');
 251
 252     $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
 253     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 254     $t->request_ok($tx)
 255       ->status_is(404)
 256       ->json_has('/error');
 257
 258     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$borrower->borrowernumber);
 259     $tx->req->cookies({name => 'CGISESSID', value => $session2->id}); # get with borrowers flag
 260     $t->request_ok($tx)
 261       ->status_is(200)
 262       ->json_is([]);
 263
 264     my $inexisting_borrowernumber = $borrowernumber2*2;
 265     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
 266     $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 267     $t->request_ok($tx)
 268       ->status_is(200)
 269       ->json_is([]);
 270
 271     $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id2");
 272     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 273     $t->request_ok($tx)
 274       ->status_is(200);
 275
 276     $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
 277     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 278     $t->request_ok($tx)
 279       ->status_is(201)
 280       ->json_has('/reserve_id');
 281     $reserve_id = $t->tx->res->json->{reserve_id};
 282
 283     $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
 284     $tx->req->cookies({name => 'CGISESSID', value => $session->id});
 285     $t->request_ok($tx)
 286       ->status_is(200)
 287       ->json_is('/0/reserve_id', $reserve_id)
 288       ->json_is('/0/expirationdate', $expirationdate)
 289       ->json_is('/0/branchcode', $branchcode);
 290
 291     $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
 292     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 293     $t->request_ok($tx)
 294       ->status_is(403)
 295       ->json_like('/error', qr/itemAlreadyOnHold/);
 296
 297     $post_data->{biblionumber} = int($biblionumber2);
 298     $post_data->{itemnumber} = int($itemnumber2);
 299     $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
 300     $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
 301     $t->request_ok($tx)
 302       ->status_is(403)
 303       ->json_like('/error', qr/tooManyReserves/);
 304 };
 305
 306
 307 $dbh->rollback;
 308
 309 sub create_biblio {
 310     my ($title) = @_;
 311
 312     my $biblio = Koha::Biblio->new( { title => $title } )->store;
 313
 314     return $biblio->biblionumber;
 315 }
 316
 317 sub create_item {
 318     my ( $biblionumber, $barcode ) = @_;
 319
 320     Koha::Items->search( { barcode => $barcode } )->delete;
 321     my $builder = t::lib::TestBuilder->new;
 322     my $item    = $builder->build(
 323         {
 324             source => 'Item',
 325             value  => {
 326                 biblionumber     => $biblionumber,
 327                 barcode          => $barcode,
 328             }
 329         }
 330     );
 331
 332     return $item->{itemnumber};
 333 }