https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41751 --- Comment #4 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> --- Created attachment 198029 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=198029&action=edit Bug 41751: Allow anonymous_refund permission to access cashups API The cash register transaction history page (pos/register.pl) allows access with either cashup OR anonymous_refund permission, but the API endpoints for fetching cashups only checked for cashup permission. This caused a 403 error when users with only anonymous_refund permission tried to view the transaction history page, as the cashups table failed to load. This patch updates the API permissions for: - GET /cash_registers/{id}/cashups - GET /cashups/{id} to accept either cashup or anonymous_refund permission, matching the page access logic. Test plan: 1. Create a staff user with only cash_management > anonymous_refund permission (not cashup) 2. Navigate to Point of Sale > Transaction history for any cash register 3. Verify the cashups table loads successfully (previously returned 403) 4. Run: prove t/db_dependent/api/v1/cashups.t Signed-off-by: Jackie Usher <jackie.usher@westsussex.gov.uk> Sponsored-by: OpenFifth <https://openfifth.co.uk/> Signed-off-by: Andrew Fuerste Henry <andrew@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.