+=head3 check_object_ownership
+
+Determines ownership of an object from request parameters.
+
+As introducing an endpoint that allows access for object's owner; if the
+parameter that will be used to determine ownership is not already inside
+$parameters, add a new subroutine that checks the ownership and extend
+$parameters to contain a key with parameter_name and a value of a subref to
+the subroutine that you created.
+
+=cut
+
+sub check_object_ownership {
+ my ($c, $user) = @_;
+
+ return if not $c or not $user;
+
+ my $parameters = {
+ accountlines_id => \&_object_ownership_by_accountlines_id,
+ borrowernumber => \&_object_ownership_by_borrowernumber,
+ checkout_id => \&_object_ownership_by_checkout_id,
+ reserve_id => \&_object_ownership_by_reserve_id,
+ };
+
+ foreach my $param (keys $parameters) {
+ my $check_ownership = $parameters->{$param};
+ if ($c->stash($param)) {
+ return &$check_ownership($c, $user, $c->stash($param));
+ }
+ elsif ($c->param($param)) {
+ return &$check_ownership($c, $user, $c->param($param));
+ }
+ elsif ($c->req->json && $c->req->json->{$param}) {
+ return 1 if &$check_ownership($c, $user, $c->req->json->{$param});
+ }
+ }
+}
+
+=head3 _object_ownership_by_accountlines_id
+
+Finds a Koha::Account::Line-object by C<$accountlines_id> and checks if it
+belongs to C<$user>.
+
+=cut
+
+sub _object_ownership_by_accountlines_id {
+ my ($c, $user, $accountlines_id) = @_;
+
+ my $accountline = Koha::Account::Lines->find($accountlines_id);
+ return $accountline && $user->borrowernumber == $accountline->borrowernumber;
+}
+
+=head3 _object_ownership_by_borrowernumber
+
+Compares C<$borrowernumber> to currently logged in C<$user>.
+
+=cut
+
+sub _object_ownership_by_borrowernumber {
+ my ($c, $user, $borrowernumber) = @_;
+
+ return $user->borrowernumber == $borrowernumber;
+}
+
+=head3 _object_ownership_by_checkout_id
+
+First, attempts to find a Koha::Issue-object by C<$issue_id>. If we find one,
+compare its borrowernumber to currently logged in C<$user>. However, if an issue
+is not found, attempt to find a Koha::OldIssue-object instead and compare its
+borrowernumber to currently logged in C<$user>.
+
+=cut
+
+sub _object_ownership_by_checkout_id {
+ my ($c, $user, $issue_id) = @_;
+
+ my $issue = Koha::Issues->find($issue_id);
+ $issue = Koha::OldIssues->find($issue_id) unless $issue;
+ return $issue && $issue->borrowernumber
+ && $user->borrowernumber == $issue->borrowernumber;
+}
+
+=head3 _object_ownership_by_reserve_id
+
+Finds a Koha::Hold-object by C<$reserve_id> and checks if it
+belongs to C<$user>.
+
+TODO: Also compare against old_reserves
+
+=cut
+
+sub _object_ownership_by_reserve_id {
+ my ($c, $user, $reserve_id) = @_;
+
+ my $reserve = Koha::Holds->find($reserve_id);
+ return $reserve && $user->borrowernumber == $reserve->borrowernumber;
+}
+