https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23517
Bug ID: 23517
Summary: Incorrect permission requirements for holds operations
via the API
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: REST api
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
When using the staff client, the holds modification page requires
"reserveforothers => 'place_holds'" permission. This is the minimum required
permission to modify a hold's pickup location, suspended status, or to delete
it.
The API requires "reserveforothers" permission (both "place_holds" AND
"modify_holds_priority") to delete a hold. This means that operations which a
user could perform in the staff client are forbidden by the API.
Add and update operations are also problematic because of the granularity of
the sub-permissions:
- Someone with only "place_holds" permission should be able to add holds and
modify every aspect of the hold EXCEPT priority.
- Someone with only "modify_holds_priority" permission should be able to
modify only the priority of a hold (I guess??).
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
