+subtest "Test endpoints with permission" => sub {
+ plan tests => 42;
+
+ $tx = $t->ua->build_tx(GET => '/api/v1/holds');
+ $tx->req->cookies({name => 'CGISESSID', value => $session->id});
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_has('/0')
+ ->json_has('/1')
+ ->json_has('/2')
+ ->json_hasnt('/3');
+
+ $tx = $t->ua->build_tx(GET => '/api/v1/holds?priority=2');
+ $tx->req->cookies({name => 'CGISESSID', value => $session->id});
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_is('/0/borrowernumber', $nopermission->{borrowernumber})
+ ->json_hasnt('/1');
+
+ $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_is('/reserve_id', $reserve_id)
+ ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
+ ->json_is('/priority', 2);
+
+ $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(200);
+
+ $tx = $t->ua->build_tx(PUT => "/api/v1/holds/$reserve_id" => json => $put_data);
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(404)
+ ->json_has('/error');
+
+ $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id");
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(404)
+ ->json_has('/error');
+
+ $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=".$borrower->borrowernumber);
+ $tx->req->cookies({name => 'CGISESSID', value => $session2->id}); # get with borrowers flag
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_is([]);
+
+ my $inexisting_borrowernumber = $borrowernumber2*2;
+ $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
+ $tx->req->cookies({name => 'CGISESSID', value => $session->id});
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_is([]);
+
+ $dbh->do('DELETE FROM issuingrules');
+ $dbh->do(q{
+ INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
+ VALUES (?, ?, ?, ?)
+ }, {}, '*', '*', '*', 1);
+
+ $tx = $t->ua->build_tx(DELETE => "/api/v1/holds/$reserve_id2");
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(200);
+
+ $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(201)
+ ->json_has('/reserve_id');
+ $reserve_id = $t->tx->res->json->{reserve_id};
+
+ $tx = $t->ua->build_tx(GET => "/api/v1/holds?borrowernumber=$borrowernumber");
+ $tx->req->cookies({name => 'CGISESSID', value => $session->id});
+ $t->request_ok($tx)
+ ->status_is(200)
+ ->json_is('/0/reserve_id', $reserve_id)
+ ->json_is('/0/expirationdate', $expirationdate)
+ ->json_is('/0/branchcode', $branchcode);
+
+ $tx = $t->ua->build_tx(POST => "/api/v1/holds" => json => $post_data);
+ $tx->req->cookies({name => 'CGISESSID', value => $session3->id});
+ $t->request_ok($tx)
+ ->status_is(403)
+ ->json_like('/error', qr/tooManyReserves/);
+};