Wrong behavior of Locations API (version 0.8.21)

Version 0.8.21

In the API
GET /openboxes/api/locations/:id/productSummary
it seems it doesn’t matter what location ID I pass, the response always returns the data about the location I was authenticated.

For example, I was authenticated with the default location 1 and which is empty, then I try to GET /openboxes/api/locations/2c96808386c648e70186c876cc60002e/productSummary, despite location 2c96808386c648e70186c876cc60002e has inventory items I always get { data: [] } in response until I authenticate again with location 2c96808386c648e70186c876cc60002e. And vice versa.

Yeah good catch.

For most of our APIs we do something like this

Location location = 
    Location.get(params?.location?.id ?: session?.location?.id)

This basically says, look up the location by a request parameter passed by the user or by the currently logged in location.

For this particular API we just use the currently logged in location instead of checking the request parameter.

As I started thinking about it, it’s definitely a bug but it also has some benefit as it prevents unauthorized users from accessing this information. In any case it’s not intuitive and needs to be fixed, but I need to do some thinking about how to solve it without giving unauthorized users access to this data.

So for now, whenever you need to access stock for a different location use the API to change your current location first.