<<

NAME

Koha::REST::V1::Auth

Operations

under

This subroutine is called before every request to API.

authenticate_api_request

Validates authentication and allows access if authorization is not required or if authorization is required and user has required permissions to access.

validate_query_parameters

Validates the query parameters against the spec.

allow_owner

Allows access to object for its owner.

There are endpoints that should allow access for the object owner even if they do not have the required permission, e.g. access an own reserve. This can be achieved by defining the operation as follows:

"/holds/{reserve_id}": { "get": { ..., "x-koha-authorization": { "allow-owner": true, "permissions": { "borrowers": "1" } } } }

allow_guarantor

Same as "allow_owner", but checks if the object is owned by one of $user's guarantees.

check_object_ownership

Determines ownership of an object from request parameters.

As introducing an endpoint that allows access for object's owner; if the parameter that will be used to determine ownership is not already inside $parameters, add a new subroutine that checks the ownership and extend $parameters to contain a key with parameter_name and a value of a subref to the subroutine that you created.

_object_ownership_by_accountlines_id

Finds a Koha::Account::Line-object by $accountlines_id and checks if it belongs to $user.

_object_ownership_by_borrowernumber

Compares $borrowernumber to currently logged in $user.

_object_ownership_by_checkout_id

First, attempts to find a Koha::Checkout-object by $issue_id. If we find one, compare its borrowernumber to currently logged in $user. However, if an issue is not found, attempt to find a Koha::Old::Checkout-object instead and compare its borrowernumber to currently logged in $user.

_object_ownership_by_reserve_id

Finds a Koha::Hold-object by $reserve_id and checks if it belongs to $user.

TODO: Also compare against old_reserves

_basic_auth

Internal method that performs Basic authentication.

<<