https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22522
--- Comment #7 from Magnus Enger <[email protected]> --- Created attachment 93592 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=93592&action=edit Bug 22522 - Update API specs' access in Auth.pm With newer versions of Mojolicious and its plugins, endpoints' specs could no longer be accessed, thus bypassing authorization checks and failing to validate query parameters. Test plan: 1. Without being logged in to Koha, access an endpoint directly (such as /api/v1/patrons/{patron_id}) 2. Notice results are received (which is bad since we're not authenticated) 3. Try again with an endpoint that accepts query parameters (such as /api/v1/patrons?firstname=something) 4. Notice that the query is not accepted (even with correct parameters) 5. Apply the patch 6. Repeat step 1 7. Notice that the access is denied 8. Login as a user with proper access rights 9. Repeat step 1 10. Notice that you can now get results 11. Repeat step 3 12. Notice that the query is now accepted 13. Repeat step 3 but with an absurd parameter 14. Notice the query is correctly rejected 15. Ideally, check if other API calls were not broken Signed-off-by: Magnus Enger <[email protected]> Upgraded modules with: $ sudo cpanm Mojolicious JSON::Validator Mojolicious::Plugin::[email protected] Before the patch data is returned without being logged in. Not good! After the patch: {"error":"Authentication failure."} -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
