https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41751
--- Comment #2 from Martin Renvoize (ashimema) <[email protected]> --- Created attachment 193248 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=193248&action=edit Bug 41751: Allow anonymous_refund permission to access cashups API The cash register transaction history page (pos/register.pl) allows access with either cashup OR anonymous_refund permission, but the API endpoints for fetching cashups only checked for cashup permission. This caused a 403 error when users with only anonymous_refund permission tried to view the transaction history page, as the cashups table failed to load. This patch updates the API permissions for: - GET /cash_registers/{id}/cashups - GET /cashups/{id} to accept either cashup or anonymous_refund permission, matching the page access logic. Test plan: 1. Create a staff user with only cash_management > anonymous_refund permission (not cashup) 2. Navigate to Point of Sale > Transaction history for any cash register 3. Verify the cashups table loads successfully (previously returned 403) 4. Run: prove t/db_dependent/api/v1/cashups.t Signed-off-by: Jackie Usher <[email protected]> -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
