https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=43030

--- Comment #10 from Martin Renvoize (ashimema) 
<[email protected]> ---
Created attachment 201755
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201755&action=edit
Bug 43030: Allow self-access to /jobs and /jobs/{job_id}

Replaces the catalogue:1 baseline permission with
parameters:manage_background_jobs plus allow-owner, so a caller who
lacks that permission can still see jobs they personally triggered.
This also retires the last manual ownership check in
Koha::REST::V1::BackgroundJobs::get in favour of the shared
objects.find_rs enforcement from Task 7.

Behavior change: a patron with zero permissions can now see their own
background jobs (by id or in the collection) where they previously got
403 outright. They could already do so if they held the unrelated
catalogue permission, so this narrows what permission is required
without broadening what any non-privileged caller can ultimately see.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to