This subroutine is called before every request to API.


Validates authentication and allows access if authorization is not required or if authorization is required and user has required permissions to access.


Validates the query parameters against the spec.


Allows access to object for its owner.

There are endpoints that should allow access for the object owner even if they do not have the required permission, e.g. access an own reserve. This can be achieved by defining the operation as follows:

"/holds/{reserve_id}": { "get": { ..., "x-koha-authorization": { "allow-owner": true, "permissions": { "borrowers": "1" } } } }


Same as "allow_owner", but checks if the object is owned by one of $user's guarantees.


Determines ownership of an object from request parameters.

As introducing an endpoint that allows access for object's owner; if the parameter that will be used to determine ownership is not already inside $parameters, add a new subroutine that checks the ownership and extend $parameters to contain a key with parameter_name and a value of a subref to the subroutine that you created.


Finds a Koha::Account::Line-object by $accountlines_id and checks if it belongs to $user.


Compares $borrowernumber to currently logged in $user.


First, attempts to find a Koha::Checkout-object by $issue_id. If we find one, compare its borrowernumber to currently logged in $user. However, if an issue is not found, attempt to find a Koha::Old::Checkout-object instead and compare its borrowernumber to currently logged in $user.


Finds a Koha::Hold-object by $reserve_id and checks if it belongs to $user.

TODO: Also compare against old_reserves


Internal method that performs Basic authentication.


    $c->_set_userenv( $patron );

Internal method that sets C4::Context->userenv