3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 use Test::More tests => 4;
22 use t::lib::TestBuilder;
33 use Koha::Biblioitems;
37 my $schema = Koha::Database->new->schema;
38 my $builder = t::lib::TestBuilder->new();
40 $schema->storage->txn_begin;
42 # FIXME: sessionStorage defaults to mysql, but it seems to break transaction handling
43 # this affects the other REST api tests
44 t::lib::Mocks::mock_preference( 'SessionStorage', 'tmp' );
46 $ENV{REMOTE_ADDR} = '127.0.0.1';
47 my $t = Test::Mojo->new('Koha::REST::V1');
50 my $categorycode = $builder->build({ source => 'Category' })->{categorycode};
51 my $branchcode = $builder->build({ source => 'Branch' })->{branchcode};
53 # User without any permissions
54 my $nopermission = $builder->build({
57 branchcode => $branchcode,
58 categorycode => $categorycode,
62 my $session_nopermission = C4::Auth::get_session('');
63 $session_nopermission->param('number', $nopermission->{ borrowernumber });
64 $session_nopermission->param('id', $nopermission->{ userid });
65 $session_nopermission->param('ip', '127.0.0.1');
66 $session_nopermission->param('lasttime', time());
67 $session_nopermission->flush;
69 my $patron_1 = $builder->build_object(
71 class => 'Koha::Patrons',
73 categorycode => $categorycode,
74 branchcode => $branchcode,
75 surname => 'Test Surname',
76 flags => 80, #borrowers and reserveforothers flags
81 my $patron_2 = $builder->build_object(
83 class => 'Koha::Patrons',
85 categorycode => $categorycode,
86 branchcode => $branchcode,
87 surname => 'Test Surname 2',
88 flags => 16, # borrowers flag
93 my $patron_3 = $builder->build_object(
95 class => 'Koha::Patrons',
97 categorycode => $categorycode,
98 branchcode => $branchcode,
99 surname => 'Test Surname 3',
100 flags => 64, # reserveforothers flag
106 my $session = C4::Auth::get_session('');
107 $session->param('number', $patron_1->borrowernumber);
108 $session->param('id', $patron_1->userid);
109 $session->param('ip', '127.0.0.1');
110 $session->param('lasttime', time());
112 my $session2 = C4::Auth::get_session('');
113 $session2->param('number', $patron_2->borrowernumber);
114 $session2->param('id', $patron_2->userid);
115 $session2->param('ip', '127.0.0.1');
116 $session2->param('lasttime', time());
118 my $session3 = C4::Auth::get_session('');
119 $session3->param('number', $patron_3->borrowernumber);
120 $session3->param('id', $patron_3->userid);
121 $session3->param('ip', '127.0.0.1');
122 $session3->param('lasttime', time());
125 my $biblionumber = create_biblio('RESTful Web APIs');
126 my $itemnumber = create_item($biblionumber, 'TEST000001');
128 my $biblionumber2 = create_biblio('RESTful Web APIs');
129 my $itemnumber2 = create_item($biblionumber2, 'TEST000002');
131 my $dbh = C4::Context->dbh;
132 $dbh->do('DELETE FROM reserves');
133 $dbh->do('DELETE FROM issuingrules');
135 INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
137 }, {}, '*', '*', '*', 1);
139 my $reserve_id = C4::Reserves::AddReserve($branchcode, $patron_1->borrowernumber,
140 $biblionumber, undef, 1, undef, undef, undef, '', $itemnumber);
142 # Add another reserve to be able to change first reserve's rank
143 my $reserve_id2 = C4::Reserves::AddReserve($branchcode, $patron_2->borrowernumber,
144 $biblionumber, undef, 2, undef, undef, undef, '', $itemnumber);
146 my $suspend_until = DateTime->now->add(days => 10)->ymd;
147 my $expirationdate = DateTime->now->add(days => 10)->ymd;
150 borrowernumber => int($patron_1->borrowernumber),
151 biblionumber => int($biblionumber),
152 itemnumber => int($itemnumber),
153 branchcode => $branchcode,
154 expirationdate => $expirationdate,
158 suspend_until => $suspend_until,
161 subtest "Test endpoints without authentication" => sub {
163 $t->get_ok('/api/v1/holds')
165 $t->post_ok('/api/v1/holds')
167 $t->put_ok('/api/v1/holds/0')
169 $t->delete_ok('/api/v1/holds/0')
174 subtest "Test endpoints without permission" => sub {
177 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
178 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
179 $t->request_ok($tx) # no permission
181 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
182 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
183 $t->request_ok($tx) # reserveforothers permission
185 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data );
186 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
187 $t->request_ok($tx) # no permission
189 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/0" => json => $put_data );
190 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
191 $t->request_ok($tx) # no permission
193 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/0");
194 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
195 $t->request_ok($tx) # no permission
198 subtest "Test endpoints without permission, but accessing own object" => sub {
201 my $borrno_tmp = $post_data->{'borrowernumber'};
202 $post_data->{'borrowernumber'} = int $nopermission->{'borrowernumber'};
203 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
204 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
205 $t->request_ok($tx) # create hold to myself
207 ->json_has('/reserve_id');
209 $post_data->{'borrowernumber'} = $borrno_tmp;
210 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$nopermission-> { borrowernumber });
211 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
212 $t->request_ok($tx) # get my own holds
214 ->json_is('/0/borrowernumber', $nopermission->{ borrowernumber })
215 ->json_is('/0/biblionumber', $biblionumber)
216 ->json_is('/0/itemnumber', $itemnumber)
217 ->json_is('/0/expirationdate', $expirationdate)
218 ->json_is('/0/branchcode', $branchcode);
220 my $reserve_id3 = Koha::Holds->find({ borrowernumber => $nopermission->{borrowernumber} })->reserve_id;
221 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id3" => json => $put_data);
222 $tx->req->cookies({name => 'CGISESSID', value => $session_nopermission->id});
223 $t->request_ok($tx) # create hold to myself
224 ->status_is(200)->json_is( '/reserve_id', $reserve_id3 )->json_is(
228 dateformat => 'rfc3339',
229 dt => dt_from_string( $suspend_until . ' 00:00:00', 'sql' )
233 ->json_is( '/priority', 2 );
236 subtest "Test endpoints with permission" => sub {
239 $tx = $t->ua->build_tx(GET => '/api/v1/holds');
240 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
248 $tx = $t->ua->build_tx(GET => '/api/v1/holds?priority=2');
249 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
252 ->json_is('/0/borrowernumber', $nopermission->{borrowernumber})
255 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
256 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
257 $t->request_ok($tx)->status_is(200)->json_is( '/reserve_id', $reserve_id )
262 dateformat => 'rfc3339',
263 dt => dt_from_string( $suspend_until . ' 00:00:00', 'sql' )
267 ->json_is( '/priority', 2 );
269 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
270 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
274 $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
275 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
278 ->json_has('/error');
280 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
281 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
284 ->json_has('/error');
286 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
287 $tx->req->cookies({name => 'CGISESSID', value => $session2->id}); # get with borrowers flag
292 my $inexisting_borrowernumber = $patron_2->borrowernumber * 2;
293 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
294 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
299 $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id2");
300 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
304 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
305 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
308 ->json_has('/reserve_id');
309 $reserve_id = $t->tx->res->json->{reserve_id};
311 $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
312 $tx->req->cookies({name => 'CGISESSID', value => $session->id});
315 ->json_is('/0/reserve_id', $reserve_id)
316 ->json_is('/0/expirationdate', $expirationdate)
317 ->json_is('/0/branchcode', $branchcode);
319 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
320 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
323 ->json_like('/error', qr/itemAlreadyOnHold/);
325 $post_data->{biblionumber} = int($biblionumber2);
326 $post_data->{itemnumber} = int($itemnumber2);
327 $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
328 $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
331 ->json_like('/error', qr/tooManyReserves/);
334 $schema->storage->txn_rollback;
339 my $biblio = Koha::Biblio->new( { title => $title } )->store;
340 my $biblioitem = Koha::Biblioitem->new({biblionumber => $biblio->biblionumber})->store;
342 return $biblio->biblionumber;
346 my ( $biblionumber, $barcode ) = @_;
348 Koha::Items->search( { barcode => $barcode } )->delete;
349 my $builder = t::lib::TestBuilder->new;
350 my $item = $builder->build(
354 biblionumber => $biblionumber,
360 return $item->{itemnumber};