Bug 22061: Add a /public namespace that can be switched on/off

This patch adds a check in Koha::REST::V1::Auth::under to catch all
routes that begin with 'public' (inside /api/v1). If they match, and the
RESTPublicAPI syspref is off, then an exception is thrown, rendering a
403 error to the consumer.

Otherwise the routes are processed as usual. This is THE on/off switch
for the public REST API. The target use case: people not wanting an OPAC
or public interaction with the API besides privileged users.

In order to test, the rest of the patches are needed because the only
way to test a route is having it in the spec.

To test:
- Apply the patches
- Run:
  $ kshell
 k$ prove t/db_dependent/api/v1/auth.t
=> SUCCESS: tests pass!
- Sign off :-D

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

diff --git a/Koha/REST/V1/Auth.pm b/Koha/REST/V1/Auth.pm
index a8b548f..763262e 100644 (file)
--- a/Koha/REST/V1/Auth.pm
+++ b/Koha/REST/V1/Auth.pm
@@ -55,8 +55,19 @@ sub under {
     my $c = shift->openapi->valid_input or return;;
 
     my $status = 0;
+
     try {
 
+        # /api/v1/{namespace}
+        my $namespace = $c->req->url->to_abs->path->[2];
+
+        if ( $namespace eq 'public'
+            and !C4::Context->preference('RESTPublicAPI') )
+        {
+            Koha::Exceptions::Authorization->throw(
+                "Configuration prevents the usage of this endpoint by unprivileged users");
+        }
+
         $status = authenticate_api_request($c);
 
     } catch {
@@ -87,6 +98,9 @@ sub under {
                 required_permissions => $_->required_permissions,
             });
         }
+        elsif ($_->isa('Koha::Exceptions::Authorization')) {
+            return $c->render(status => 403, json => { error => $_->error });
+        }
         elsif ($_->isa('Koha::Exceptions')) {
             return $c->render(status => 500, json => { error => $_->error });
         }

diff --git a/t/db_dependent/api/v1/auth.t b/t/db_dependent/api/v1/auth.t
index 447028c..4f47227 100644 (file)
--- a/t/db_dependent/api/v1/auth.t
+++ b/t/db_dependent/api/v1/auth.t
@@ -39,12 +39,27 @@ my $t              = Test::Mojo->new('Koha::REST::V1');
 my $tx;
 
 subtest 'under() tests' => sub {
-    plan tests => 15;
+
+    plan tests => 20;
 
     $schema->storage->txn_begin;
 
     my ($borrowernumber, $session_id) = create_user_and_session();
 
+    # disable the /public namespace
+    t::lib::Mocks::mock_preference( 'RESTPublicAPI', 0 );
+    $tx = $t->ua->build_tx( POST => "/api/v1/public/patrons/$borrowernumber/password" );
+    $tx->req->env( { REMOTE_ADDR => $remote_address } );
+    $t->request_ok($tx)
+      ->status_is(403)
+      ->json_is('/error', 'Configuration prevents the usage of this endpoint by unprivileged users');
+
+    # enable the /public namespace
+    t::lib::Mocks::mock_preference( 'RESTPublicAPI', 1 );
+    $tx = $t->ua->build_tx( GET => "/api/v1/public/patrons/$borrowernumber/password" );
+    $tx->req->env( { REMOTE_ADDR => $remote_address } );
+    $t->request_ok($tx)->status_is(404);
+
     # 401 (no authentication)
     $tx = $t->ua->build_tx( GET => "/api/v1/patrons" );
     $tx->req->env( { REMOTE_ADDR => $remote_address } );