https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23517 Bug ID: 23517 Summary: Incorrect permission requirements for holds operations via the API Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: REST api Assignee: koha-bugs@lists.koha-community.org Reporter: oleonard@myacpl.org CC: tomascohen@gmail.com When using the staff client, the holds modification page requires "reserveforothers => 'place_holds'" permission. This is the minimum required permission to modify a hold's pickup location, suspended status, or to delete it. The API requires "reserveforothers" permission (both "place_holds" AND "modify_holds_priority") to delete a hold. This means that operations which a user could perform in the staff client are forbidden by the API. Add and update operations are also problematic because of the granularity of the sub-permissions: - Someone with only "place_holds" permission should be able to add holds and modify every aspect of the hold EXCEPT priority. - Someone with only "modify_holds_priority" permission should be able to modify only the priority of a hold (I guess??). -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.