[Koha-bugs] [Bug 30230] Search for patrons in checkout should not require edit_borrowers permission
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Aug 31 02:29:02 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230
--- Comment #11 from David Cook <dcook at prosentient.com.au> ---
(In reply to David Cook from comment #10)
> Note the autocomplete also gives a 403...
{"error":"Authorization failure. Missing required
permission(s).","required_permissions":[{"borrowers":"edit_borrowers"},{"tools":"label_creator"},{"serials":"routing"},{"acquisition":"order_manage"}]}
--
The authorizations/permissions need a comprehensive review/restructure. I think
we've known that for a while.
For instance, the reason why I can't retrieve patrons from other branches for
checkout is because I don't have the sub permission
"view_borrower_infos_from_any_libraries". But because I don't have
"edit_borrower", I can't see borrower info from my current library either
anyways. The authorization here makes no sense.
--
I don't think this issue is really fixable on its own. It would require
systemic changes to other functionality to really get it right.
A short-term fix might be to create a new subpermission called "view_borrowers"
and require circ staff to have that but even that's not quite right.
We've worked ourselves into a corner with the current permissions and the
functionality.
Maybe we do just let "circulate_remaining_permissions" view member.pl and have
that implicitly have the ability to "view patron information" despite it not
really adhering to the explicit goals of the permission system.
That's probably the unfortunate solution here...
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list