[Bug 32971] New: Access to ERM module requires 'erm' permission and 'vendors_manage' acquisition sub-permission
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 Bug ID: 32971 Summary: Access to ERM module requires 'erm' permission and 'vendors_manage' acquisition sub-permission Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: In Discussion Severity: enhancement Priority: P5 - low Component: ERM Assignee: jonathan.druart+koha@gmail.com Reporter: pedro.amorim@ptfs-europe.com CC: jonathan.druart+koha@gmail.com, jonathan.field@ptfs-europe.com, martin.renvoize@ptfs-europe.com, pedro.amorim@ptfs-europe.com, tomascohen@gmail.com Depends on: 32968 To reproduce: - Enable ERMModule - Login as a staff member that only has 2 permissions: -- catalogue (required for staff login) -- erm - Access erm page, check the 403 forbidden error This happens because ERM module is requesting the /api/v1/acquisitions/vendors api endpoint which in turn requires the vendors_manage sub-permission (see acquisitions_vendors.yaml). If you enable the acquisition vendors_manage sub-permission for that user, you're able to confirm that you can now access the ERM module as expected. Ideally, having just the 'erm' permission should be enough to be granted access to ERM. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32968 [Bug 32968] Create granular permissions for ERM -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 Pedro Amorim <pedro.amorim@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|32968 | Blocks| |32968 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32968 [Bug 32968] Create granular permissions for ERM -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 --- Comment #1 from Pedro Amorim <pedro.amorim@ptfs-europe.com> --- To add to this list, and likely to update the title of this bug sometime in the future: In order to add a user to an agreement (and license), the permission edit_borrowers is required, or a 403 is returned. Ideally, having just the 'erm' permission should be enough to be granted correct access to all of ERM. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 --- Comment #2 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to Pedro Amorim from comment #1)
In order to add a user to an agreement (and license), the permission edit_borrowers is required, or a 403 is returned.
Confirmed "GET /api/v1/app.pl/api/v1/patrons/5 HTTP/1.1" 403 - "http://kohadev-intra.mydnsname.org:8081/cgi-bin/koha/erm/licenses/add" "Mozilla/5.0 (X11; Linux x86_64) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 --- Comment #3 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to Jonathan Druart from comment #2)
(In reply to Pedro Amorim from comment #1)
In order to add a user to an agreement (and license), the permission edit_borrowers is required, or a 403 is returned.
Confirmed
"GET /api/v1/app.pl/api/v1/patrons/5 HTTP/1.1" 403 - "http://kohadev-intra.mydnsname.org:8081/cgi-bin/koha/erm/licenses/add" "Mozilla/5.0 (X11; Linux x86_64)
So basically we need a new endpoint /erm/users/:patron_id, or tweak includes/patron-search.inc to inject all patron's info on the opener's DOM instead of just the id (search for "selected_patron_id"). -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 Pedro Amorim <pedro.amorim@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=33606 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 Catrina Berka <catrina@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |catrina@bywatersolutions.co | |m --- Comment #4 from Catrina Berka <catrina@bywatersolutions.com> --- Is this resolved with 33606? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 --- Comment #5 from Pedro Amorim <pedro.amorim@ptfs-europe.com> --- (In reply to Catrina Berka from comment #4)
Is this resolved with 33606?
It's not. These are different issues. Bug 33606 updated the way we fetch the system preferences related to ERM. The reproduce instructions in this current bug 32971 still apply, i.e. the issue is still there. The issue is caused by the ERM module fetching vendors through the /api/v1/acquisitions/vendors endpoint. But that endpoint requires the acquisitions permission, specifically the vendors_manage sub-permission. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 --- Comment #6 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Just ran into this testing 33606. In the serials module you can still use existing vendors and link them to subscriptions without having vendor_manage. I think the same behaviour would make sense for the ERM module as well. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=32971 Maude Boudreau <maude.boudreau@collecto.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maude.boudreau@collecto.ca -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org