Bug 13799: Add cookie-based authentication to REST API

author Julian Maurice <julian.maurice@biblibre.com>

Mon, 31 Aug 2015 15:00:52 +0000 (17:00 +0200)

committer Tomas Cohen Arazi <tomascohen@theke.io>

Wed, 4 Nov 2015 16:47:32 +0000 (13:47 -0300)
author Julian Maurice <julian.maurice@biblibre.com>
Mon, 31 Aug 2015 15:00:52 +0000 (17:00 +0200)
committer Tomas Cohen Arazi <tomascohen@theke.io>
Wed, 4 Nov 2015 16:47:32 +0000 (13:47 -0300)
diff --git a/Koha/REST/V1.pm b/Koha/REST/V1.pm

index 39cdab9..7d7102d 100644 (file)
--- a/Koha/REST/V1.pm
+++ b/Koha/REST/V1.pm
@@ -3,15 +3,23 @@ package Koha::REST::V1;
  use Modern::Perl;
  use Mojo::Base 'Mojolicious';
  
+use C4::Auth qw( check_cookie_auth get_session );
+use Koha::Borrowers;
+
  sub startup {
      my $self = shift;
  
      my $route = $self->routes->under->to(
          cb => sub {
              my $c = shift;
-            my $user = $c->param('user');
-            # Do the authentication stuff here...
-            $c->stash('user', $user);
+
+            my ($status, $sessionID) = check_cookie_auth($c->cookie('CGISESSID'));
+            if ($status eq "ok") {
+                my $session = get_session($sessionID);
+                my $user = Koha::Borrowers->find($session->param('number'));
+                $c->stash('koha.user' => $user);
+            }
+
              return 1;
          }
      );
diff --git a/Koha/REST/V1/Borrowers.pm b/Koha/REST/V1/Borrowers.pm

index b58ad2a..8857df4 100644 (file)
--- a/Koha/REST/V1/Borrowers.pm
+++ b/Koha/REST/V1/Borrowers.pm
@@ -4,11 +4,17 @@ use Modern::Perl;
  
  use Mojo::Base 'Mojolicious::Controller';
  
+use C4::Auth qw( haspermission );
  use Koha::Borrowers;
  
  sub list_borrowers {
      my ($c, $args, $cb) = @_;
  
+    my $user = $c->stash('koha.user');
+    unless ($user && haspermission($user->userid, {borrowers => 1})) {
+        return $c->$cb({error => "You don't have the required permission"}, 403);
+    }
+
      my $borrowers = Koha::Borrowers->search;
  
      $c->$cb($borrowers->unblessed, 200);
@@ -17,13 +23,21 @@ sub list_borrowers {
  sub get_borrower {
      my ($c, $args, $cb) = @_;
  
-    my $borrower = Koha::Borrowers->find($args->{borrowernumber});
+    my $user = $c->stash('koha.user');
  
-    if ($borrower) {
-        return $c->$cb($borrower->unblessed, 200);
+    unless ( $user
+        && ( $user->borrowernumber == $args->{borrowernumber}
+            || haspermission($user->userid, {borrowers => 1}) ) )
+    {
+        return $c->$cb({error => "You don't have the required permission"}, 403);
+    }
+
+    my $borrower = Koha::Borrowers->find($args->{borrowernumber});
+    unless ($borrower) {
+        return $c->$cb({error => "Borrower not found"}, 404);
      }
  
-    $c->$cb({error => "Borrower not found"}, 404);
+    return $c->$cb($borrower->unblessed, 200);
  }
  
  1;
diff --git a/api/v1/swagger.json b/api/v1/swagger.json

index 9672f15..a20cb20 100644 (file)
--- a/api/v1/swagger.json
+++ b/api/v1/swagger.json
@@ -31,6 +31,12 @@
                  "$ref": "#/definitions/borrower"
                }
              }
+          },
+          "403": {
+            "description": "Access forbidden",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
            }
          }
        }
@@ -55,6 +61,12 @@
                "$ref": "#/definitions/borrower"
              }
            },
+          "403": {
+            "description": "Access forbidden",
+            "schema": {
+              "$ref": "#/definitions/error"
+            }
+          },
            "404": {
              "description": "Borrower not found",
              "schema": {
author	Julian Maurice <julian.maurice@biblibre.com>
	Mon, 31 Aug 2015 15:00:52 +0000 (17:00 +0200)
committer	Tomas Cohen Arazi <tomascohen@theke.io>
	Wed, 4 Nov 2015 16:47:32 +0000 (13:47 -0300)
Koha/REST/V1.pm		patch \| blob \| history
Koha/REST/V1/Borrowers.pm		patch \| blob \| history
api/v1/swagger.json		patch \| blob \| history