[Koha-bugs] [Bug 42845] New: Access to ILL requires parameters => 'manage_sysprefs'

Mon, 15 Jun 2026 00:12:51 -0700 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42845

            Bug ID: 42845
           Summary: Access to ILL requires parameters => 'manage_sysprefs'
   Initiative type: ---
        Sponsorship ---
            status:
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: ILL
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
                CC: [email protected],
                    [email protected], [email protected]
        Depends on: 37762
  Target Milestone: ---

The ILL Vue app reads `ILLModule` and `ILLPartnerCode` through the system
preferences service when it starts.

That service requires `parameters/manage_sysprefs`, so a staff user with ILL
permissions but without system preference administration permissions cannot
load the ILL module.

Steps to reproduce:

1. Enable `ILLModule`.
2. Set `ILLPartnerCode` to an existing patron category used for ILL partners.
3. Create a staff user with ILL permissions, but without
`parameters/manage_sysprefs`.
4. Log in with that staff user.
5. Go to the staff ILL module at `/cgi-bin/koha/ill/ill.pl`.

Expected result:

The ILL module loads for a staff user with ILL permissions.

Actual result:

The ILL module cannot load its runtime configuration because the system
preferences service returns an authorization failure.

Depending on the UI path, the user may see an error such as `Something went
wrong when loading the table. 401: Unauthorized`, followed by JavaScript errors
caused by missing configuration data.

Technical note:

This is the same class of issue as bug 33606 for ERM.

The proposed patch adds a module-specific `/ill/config` endpoint protected by
the `ill` permission. It returns only allow-listed, non-secret ILL
configuration values needed by the ILL Vue app. It does not expose the generic
system preferences API, and `/api/v1/sysprefs` remains restricted to
`parameters/manage_sysprefs`.


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37762
[Bug 37762] Expand ILL to allow for supplying agency/lending library workflows
-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to