https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41751
Bug ID: 41751
Summary: Cash register transaction history returns 403 for
users with only anonymous_refund permission
Initiative type: ---
Sponsorship ---
status:
Product: Koha
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Point of Sale
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
When a user has the cash_management > anonymous_refund permission but NOT the
cashup permission, they can access the cash register transaction history page
(/cgi-bin/koha/pos/register.pl), but the cashups table fails to load with a 403
error.
Steps to Reproduce:
1. Create a staff user with only cash_management > anonymous_refund permission
(not cashup)
2. Navigate to Point of Sale > Transaction history for any cash register
3. Observe that the page loads but the cashups table shows a 403 error
Expected Behavior:
The cashups table should load successfully since the user has permission to
view the page.
Actual Behavior:
The API endpoint /api/v1/cash_registers/{id}/cashups returns 403 Forbidden
because it only checks for cashup permission.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
