3 # This file is part of Koha.
5 # Koha is free software; you can redistribute it and/or modify it under the
6 # terms of the GNU General Public License as published by the Free Software
7 # Foundation; either version 3 of the License, or (at your option) any later
10 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
11 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
12 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License along
15 # with Koha; if not, write to the Free Software Foundation, Inc.,
16 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
20 use Test
::More tests
=> 4;
22 use t
::lib
::TestBuilder
;
34 my $builder = t
::lib
::TestBuilder
->new();
36 my $dbh = C4
::Context
->dbh;
37 $dbh->{AutoCommit
} = 0;
38 $dbh->{RaiseError
} = 1;
40 $ENV{REMOTE_ADDR
} = '127.0.0.1';
41 my $t = Test
::Mojo
->new('Koha::REST::V1');
44 my $categorycode = $builder->build({ source
=> 'Category' })->{categorycode
};
45 my $branchcode = $builder->build({ source
=> 'Branch' })->{branchcode
};
47 # User without any permissions
48 my $nopermission = $builder->build({
51 branchcode
=> $branchcode,
52 categorycode
=> $categorycode,
56 my $session_nopermission = C4
::Auth
::get_session
('');
57 $session_nopermission->param('number', $nopermission->{ borrowernumber
});
58 $session_nopermission->param('id', $nopermission->{ userid
});
59 $session_nopermission->param('ip', '127.0.0.1');
60 $session_nopermission->param('lasttime', time());
61 $session_nopermission->flush;
63 my $borrower = Koha
::Patron
->new;
64 $borrower->categorycode( $categorycode );
65 $borrower->branchcode( $branchcode );
66 $borrower->surname("Test Surname");
67 $borrower->flags(80); #borrowers and reserveforothers flags
68 $borrower->userid($nopermission->{ userid
}."z");
70 my $borrowernumber = $borrower->borrowernumber;
72 my $borrower2 = Koha
::Patron
->new;
73 $borrower2->categorycode( $categorycode );
74 $borrower2->branchcode( $branchcode );
75 $borrower2->surname("Test Surname 2");
76 $borrower2->userid($nopermission->{ userid
}."x");
77 $borrower2->flags(16); # borrowers flag
79 my $borrowernumber2 = $borrower2->borrowernumber;
81 my $borrower3 = Koha
::Patron
->new;
82 $borrower3->categorycode( $categorycode );
83 $borrower3->branchcode( $branchcode );
84 $borrower3->surname("Test Surname 2");
85 $borrower3->userid($nopermission->{ userid
}."y");
86 $borrower3->flags(64); # reserveforothers flag
88 my $borrowernumber3 = $borrower3->borrowernumber;
91 my $session = C4
::Auth
::get_session
('');
92 $session->param('number', $borrower->borrowernumber);
93 $session->param('id', $borrower->userid);
94 $session->param('ip', '127.0.0.1');
95 $session->param('lasttime', time());
97 my $session2 = C4
::Auth
::get_session
('');
98 $session2->param('number', $borrower2->borrowernumber);
99 $session2->param('id', $borrower2->userid);
100 $session2->param('ip', '127.0.0.1');
101 $session2->param('lasttime', time());
103 my $session3 = C4
::Auth
::get_session
('');
104 $session3->param('number', $borrower3->borrowernumber);
105 $session3->param('id', $borrower3->userid);
106 $session3->param('ip', '127.0.0.1');
107 $session3->param('lasttime', time());
110 my $biblionumber = create_biblio
('RESTful Web APIs');
111 my $itemnumber = create_item
($biblionumber, 'TEST000001');
113 my $biblionumber2 = create_biblio
('RESTful Web APIs');
114 my $itemnumber2 = create_item
($biblionumber2, 'TEST000002');
116 $dbh->do('DELETE FROM reserves');
117 $dbh->do('DELETE FROM issuingrules');
119 INSERT INTO issuingrules (categorycode, branchcode, itemtype, reservesallowed)
121 }, {}, '*', '*', '*', 1);
123 my $reserve_id = C4
::Reserves
::AddReserve
($branchcode, $borrowernumber,
124 $biblionumber, undef, 1, undef, undef, undef, '', $itemnumber);
126 # Add another reserve to be able to change first reserve's rank
127 my $reserve_id2 = C4
::Reserves
::AddReserve
($branchcode, $borrowernumber2,
128 $biblionumber, undef, 2, undef, undef, undef, '', $itemnumber);
130 my $suspend_until = DateTime
->now->add(days
=> 10)->ymd;
131 my $expirationdate = DateTime
->now->add(days
=> 10)->ymd;
134 borrowernumber
=> int($borrowernumber),
135 biblionumber
=> int($biblionumber),
136 itemnumber
=> int($itemnumber),
137 branchcode
=> $branchcode,
138 expirationdate
=> $expirationdate,
142 suspend_until
=> $suspend_until,
145 subtest
"Test endpoints without authentication" => sub {
147 $t->get_ok('/api/v1/holds')
149 $t->post_ok('/api/v1/holds')
151 $t->put_ok('/api/v1/holds/0')
153 $t->delete_ok('/api/v1/holds/0')
158 subtest
"Test endpoints without permission" => sub {
161 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=$borrowernumber");
162 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
163 $t->request_ok($tx) # no permission
165 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=$borrowernumber");
166 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
167 $t->request_ok($tx) # reserveforothers permission
169 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data );
170 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
171 $t->request_ok($tx) # no permission
173 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/0" => json
=> $put_data );
174 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
175 $t->request_ok($tx) # no permission
177 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/0");
178 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
179 $t->request_ok($tx) # no permission
182 subtest
"Test endpoints without permission, but accessing own object" => sub {
185 my $borrno_tmp = $post_data->{'borrowernumber'};
186 $post_data->{'borrowernumber'} = int $nopermission->{'borrowernumber'};
187 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
188 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
189 $t->request_ok($tx) # create hold to myself
191 ->json_has('/reserve_id');
193 $post_data->{'borrowernumber'} = $borrno_tmp;
194 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=".$nopermission-> { borrowernumber
});
195 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
196 $t->request_ok($tx) # get my own holds
198 ->json_is('/0/borrowernumber', $nopermission->{ borrowernumber
})
199 ->json_is('/0/biblionumber', $biblionumber)
200 ->json_is('/0/itemnumber', $itemnumber)
201 ->json_is('/0/expirationdate', $expirationdate)
202 ->json_is('/0/branchcode', $branchcode);
204 my $reserve_id3 = Koha
::Holds
->find({ borrowernumber
=> $nopermission->{borrowernumber
} })->reserve_id;
205 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id3" => json
=> $put_data);
206 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session_nopermission->id});
207 $t->request_ok($tx) # create hold to myself
209 ->json_is('/reserve_id', $reserve_id3)
210 ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
211 ->json_is('/priority', 2);
214 subtest
"Test endpoints with permission" => sub {
217 $tx = $t->ua->build_tx(GET
=> '/api/v1/holds');
218 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
226 $tx = $t->ua->build_tx(GET
=> '/api/v1/holds?priority=2');
227 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
230 ->json_is('/0/borrowernumber', $nopermission->{borrowernumber
})
233 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id" => json
=> $put_data);
234 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
237 ->json_is('/reserve_id', $reserve_id)
238 ->json_is('/suspend_until', $suspend_until . ' 00:00:00')
239 ->json_is('/priority', 2);
241 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id");
242 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
246 $tx = $t->ua->build_tx(PUT
=> "/api/v1/holds/$reserve_id" => json
=> $put_data);
247 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
250 ->json_has('/error');
252 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id");
253 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
256 ->json_has('/error');
258 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=".$borrower->borrowernumber);
259 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session2->id}); # get with borrowers flag
264 my $inexisting_borrowernumber = $borrowernumber2*2;
265 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=$inexisting_borrowernumber");
266 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
271 $tx = $t->ua->build_tx(DELETE
=> "/api/v1/holds/$reserve_id2");
272 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
276 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
277 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
280 ->json_has('/reserve_id');
281 $reserve_id = $t->tx->res->json->{reserve_id
};
283 $tx = $t->ua->build_tx(GET
=> "/api/v1/holds?borrowernumber=$borrowernumber");
284 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session->id});
287 ->json_is('/0/reserve_id', $reserve_id)
288 ->json_is('/0/expirationdate', $expirationdate)
289 ->json_is('/0/branchcode', $branchcode);
291 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
292 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
295 ->json_like('/error', qr
/itemAlreadyOnHold
/);
297 $post_data->{biblionumber
} = int($biblionumber2);
298 $post_data->{itemnumber
} = int($itemnumber2);
299 $tx = $t->ua->build_tx(POST
=> "/api/v1/holds" => json
=> $post_data);
300 $tx->req->cookies({name
=> 'CGISESSID', value
=> $session3->id});
303 ->json_like('/error', qr
/tooManyReserves
/);
312 my $biblio = Koha
::Biblio
->new( { title
=> $title } )->store;
314 return $biblio->biblionumber;
318 my ( $biblionumber, $barcode ) = @_;
320 Koha
::Items
->search( { barcode
=> $barcode } )->delete;
321 my $builder = t
::lib
::TestBuilder
->new;
322 my $item = $builder->build(
326 biblionumber
=> $biblionumber,
332 return $item->{itemnumber
};