3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 use Test
::More tests
=> 5;
22 use t
::lib
::TestBuilder
;
34 use Koha
::Biblioitems
;
38 my $schema = Koha
::Database
->new->schema;
39 my $builder = t
::lib
::TestBuilder
->new();
41 $schema->storage->txn_begin;
43 # FIXME: sessionStorage defaults to mysql, but it seems to break transaction handling
44 # this affects the other REST api tests
45 t
::lib
::Mocks
::mock_preference
( 'SessionStorage', 'tmp' );
47 $ENV{REMOTE_ADDR
} = '127.0.0.1';
48 my $t = Test
::Mojo
->new('Koha::REST::V1');
51 my $categorycode = $builder->build({ source
=> 'Category' })->{categorycode
};
52 my $branchcode = $builder->build({ source
=> 'Branch' })->{branchcode
};
53 my $itemtype = $builder->build({ source
=> 'Itemtype' })->{itemtype
};
55 # User without any permissions
56 my $nopermission = $builder->build({
59 branchcode
=> $branchcode,
60 categorycode
=> $categorycode,
64 my $session_nopermission = C4
::Auth
::get_session
('');
65 $session_nopermission->param('number', $nopermission->{ borrowernumber
});
66 $session_nopermission->param('id', $nopermission->{ userid
});
67 $session_nopermission->param('ip', '127.0.0.1');
68 $session_nopermission->param('lasttime', time());
69 $session_nopermission->flush;
71 my $patron_1 = $builder->build_object(
73 class => 'Koha::Patrons',
75 categorycode
=> $categorycode,
76 branchcode
=> $branchcode,
77 surname
=> 'Test Surname',
78 flags
=> 80, #borrowers and reserveforothers flags
83 my $patron_2 = $builder->build_object(
85 class => 'Koha::Patrons',
87 categorycode
=> $categorycode,
88 branchcode
=> $branchcode,
89 surname
=> 'Test Surname 2',
90 flags
=> 16, # borrowers flag
95 my $patron_3 = $builder->build_object(
97 class => 'Koha::Patrons',
99 categorycode
=> $categorycode,
100 branchcode
=> $branchcode,
101 surname
=> 'Test Surname 3',
102 flags
=> 64, # reserveforothers flag
108 my $session = C4
::Auth
::get_session
('');
109 $session->param('number', $patron_1->borrowernumber);
110 $session->param('id', $patron_1->userid);
111 $session->param('ip', '127.0.0.1');
112 $session->param('lasttime', time());
114 my $session2 = C4
::Auth
::get_session
('');
115 $session2->param('number', $patron_2->borrowernumber);
116 $session2->param('id', $patron_2->userid);
117 $session2->param('ip', '127.0.0.1');
118 $session2->param('lasttime', time());
120 my $session3 = C4
::Auth
::get_session
('');
121 $session3->param('number', $patron_3->borrowernumber);
122 $session3->param('id', $patron_3->userid);
123 $session3->param('ip', '127.0.0.1');
124 $session3->param('lasttime', time());
127 my $biblionumber = create_biblio
('RESTful Web APIs');
128 my $item = create_item
($biblionumber, 'TEST000001');
129 my $itemnumber = $item->{itemnumber
};
130 $item->{itype
} = $itemtype;
131 C4
::Items
::ModItem
($item, $biblionumber, $itemnumber);
133 my $biblionumber2 = create_biblio
('RESTful Web APIs');
134 my $item2 = create_item
($biblionumber2, 'TEST000002');
135 my $itemnumber2 = $item2->{itemnumber
};
137 my $dbh = C4
::Context
->dbh;
138 $dbh->do('DELETE FROM reserves');
139 $dbh->do('DELETE FROM issuingrules');
141 INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
143 }, {}, '*', '*', '*', 1);
145 my $reserve_id = C4
::Reserves
::AddReserve
($branchcode, $patron_1->borrowernumber,
146 $biblionumber, undef, 1, undef, undef, undef, '', $itemnumber);
148 # Add another reserve to be able to change first reserve's rank
149 my $reserve_id2 = C4
::Reserves
::AddReserve
($branchcode, $patron_2->borrowernumber,
150 $biblionumber, undef, 2, undef, undef, undef, '', $itemnumber);
152 my $suspend_until = DateTime
->now->add(days
=> 10)->ymd;
153 my $expirationdate = DateTime
->now->add(days
=> 10)->ymd;
156 borrowernumber
=> int($patron_1->borrowernumber),
157 biblionumber
=> int($biblionumber),
158 itemnumber
=> int($itemnumber),
159 branchcode
=> $branchcode,
160 expirationdate
=> $expirationdate,
164 suspend_until
=> $suspend_until,
167 subtest
"Test endpoints without authentication" => sub {
169 $t->get_ok('/api/v1/holds')
171 $t->post_ok('/api/v1/holds')
173 $t->put_ok('/api/v1/holds/0')
175 $t->delete_ok('/api/v1/holds/0')
180 subtest
"Test endpoints without permission" => sub {
183 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
184 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
185 $t->request_ok($tx) # no permission
187 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
188 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
189 $t->request_ok($tx) # reserveforothers permission
191 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data );
192 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
193 $t->request_ok($tx) # no permission
195 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/0" => json
=> $put_data );
196 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
197 $t->request_ok($tx) # no permission
199 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/0");
200 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
201 $t->request_ok($tx) # no permission
204 subtest
"Test endpoints without permission, but accessing own object" => sub {
207 my $borrno_tmp = $post_data->{'borrowernumber'};
208 $post_data->{'borrowernumber'} = int $nopermission->{'borrowernumber'};
209 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
210 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
211 $t->request_ok($tx) # create hold to myself
213 ->json_has('/reserve_id');
215 $post_data->{'borrowernumber'} = $borrno_tmp;
216 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=".$nopermission-> { borrowernumber
});
217 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
218 $t->request_ok($tx) # get my own holds
220 ->json_is('/0/borrowernumber', $nopermission->{ borrowernumber
})
221 ->json_is('/0/biblionumber', $biblionumber)
222 ->json_is('/0/itemnumber', $itemnumber)
223 ->json_is('/0/expirationdate', $expirationdate)
224 ->json_is('/0/branchcode', $branchcode);
226 my $reserve_id3 = Koha
::Holds
->find({ borrowernumber
=> $nopermission->{borrowernumber
} })->reserve_id;
227 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id3" => json
=> $put_data);
228 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
229 $t->request_ok($tx) # create hold to myself
230 ->status_is(200)->json_is( '/reserve_id', $reserve_id3 )->json_is(
234 dateformat
=> 'rfc3339',
235 dt
=> dt_from_string
( $suspend_until . ' 00:00:00', 'sql' )
239 ->json_is( '/priority', 2 )
240 ->json_is( '/itemnumber', $itemnumber );
243 subtest
"Test endpoints with permission" => sub {
246 $tx = $t->ua->build_tx(GET
=> '/api/v1/holds');
247 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
255 $tx = $t->ua->build_tx(GET
=> '/api/v1/holds?priority=2');
256 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
259 ->json_is('/0/borrowernumber', $nopermission->{borrowernumber
})
262 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id" => json
=> $put_data);
263 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
264 $t->request_ok($tx)->status_is(200)->json_is( '/reserve_id', $reserve_id )
269 dateformat
=> 'rfc3339',
270 dt
=> dt_from_string
( $suspend_until . ' 00:00:00', 'sql' )
274 ->json_is( '/priority', 2 );
276 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id");
277 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
281 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id" => json
=> $put_data);
282 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
285 ->json_has('/error');
287 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id");
288 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
291 ->json_has('/error');
293 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
294 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session2->id}); # get with borrowers flag
299 my $inexisting_borrowernumber = $patron_2->borrowernumber * 2;
300 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
301 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
306 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id2");
307 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
311 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
312 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
315 ->json_has('/reserve_id');
316 $reserve_id = $t->tx->res->json->{reserve_id
};
318 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
319 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
322 ->json_is('/0/reserve_id', $reserve_id)
323 ->json_is('/0/expirationdate', $expirationdate)
324 ->json_is('/0/branchcode', $branchcode);
326 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
327 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
330 ->json_like('/error', qr
/itemAlreadyOnHold
/);
332 $post_data->{biblionumber
} = int($biblionumber2);
333 $post_data->{itemnumber
} = int($itemnumber2);
334 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
335 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
338 ->json_like('/error', qr
/tooManyReserves
/);
342 subtest
'Reserves with itemtype' => sub {
346 borrowernumber
=> int($patron_1->borrowernumber),
347 biblionumber
=> int($biblionumber),
348 branchcode
=> $branchcode,
349 itemtype
=> $itemtype,
352 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id");
353 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
357 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
358 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
361 ->json_has('/reserve_id');
363 $reserve_id = $t->tx->res->json->{reserve_id
};
365 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=" . $patron_1->borrowernumber);
366 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
369 ->json_is('/0/reserve_id', $reserve_id)
370 ->json_is('/0/itemtype', $itemtype);
373 $schema->storage->txn_rollback;
378 my $biblio = Koha
::Biblio
->new( { title
=> $title } )->store;
379 my $biblioitem = Koha
::Biblioitem
->new({biblionumber
=> $biblio->biblionumber})->store;
381 return $biblio->biblionumber;
385 my ( $biblionumber, $barcode ) = @_;
387 Koha
::Items
->search( { barcode
=> $barcode } )->delete;
388 my $builder = t
::lib
::TestBuilder
->new;
389 my $item = $builder->build(
393 biblionumber
=> $biblionumber,