[Koha-bugs] [Bug 35747] New: Some PUT endpoints wipe data if embeds are missing from the payload

Tue, 09 Jan 2024 09:13:51 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35747

            Bug ID: 35747
           Summary: Some PUT endpoints wipe data if embeds are missing
                    from the payload
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: REST API
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected],
                    [email protected], [email protected]

To reproduce:
0) Enable RESTBasicAuth syspref
1) Add a new license, visit:
    /cgi-bin/koha/erm/licenses/add
2) Fill in mandatory fields, click "Add document" and upload a file. 
3) Click 'Submit'
4) Edit the license, visit:
    /cgi-bin/koha/erm/licenses/edit/1
5) Pretend you're a third-party app wanting to update name and description of
the license. Run the following curl:
curl -u "koha:koha" -X PUT \
  'http://localhost:8081/api/v1/erm/licenses/1' \
  --header 'Accept: */*' \
  --header 'User-Agent: Thunder Client (https://www.thunderclient.com)' \
  --header 'Content-Type: application/json' \
  --data-raw
'{"description":"testing","name":"testing","status":"not_yet_active","type":"consortial"}'
6) Check the license again, visit:
    /cgi-bin/koha/erm/licenses/edit/1
7) Notice the file you uploaded in 2) has been wiped.

This PUT request is missing the documents property, so Koha will wipe all
documents related to that license. Same happens for users (property
'user_roles').
Same happens if the property is sent empty.
I believe this is by design, as the Koha form will always be pre-populated with
any existing data thus not wiping anything unintendedly.
I understand this is how PUT is supposed to work, and that this should be a
PATCH instead, but we're currently not supporting PATCH endpoints (?).
What is the best approach here, support PATCH or change the logic behind the
PUT endpoint? Other?

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to