[Koha-bugs] [Bug 17314] REST API: Add API route to create, list and delete a purchase suggestion

Sun Sep 18 17:49:28 CEST 2016

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=17314

--- Comment #3 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
> > - collectiontitle: I think it's not clear in the interface what this is to
> > be used for, maybe a question we should talk about first and then maybe
> > choose a better name?
> 
> I don't actually know exactly what does it have to mean, but you can see it
> as "Collection title" on the OPAC site for creating a suggestion:
> http://koha-opac/cgi-bin/koha/opac-suggestions.pl?op=add

Yes, I know - it just seems to cause some confusion. I was wondering if it
should be better named 'series' or similar. As we are trying to use good
terminology in the API from the beginning it would be nice to take a look if
that would make more sense.

> > - copyrightdate: MARC21 uses copyrightdate in the database, UNIMARC
> > publicationyear. Both fields appear in biblioitems/biblio and in
> > suggestions. Something to tidy up/take into account here?
> 
> In OPAC the copyrightdate has maximum 4 characters, so it is the MARC21. The
> question is, whether we should allow specifying also the publicationyear?

What I tried to explain (badly) is that there is something a little odd in
Koha. The same information goes into different fields depending on MARC flavour
- so it would be good to take a look at the code to verify if both
suggestions.copyrightdate and suggestions.publicationsyear are used maybe. Also
kind of a terminology question - but it might not play a big role here.

> > It's possible to make anonymous suggestions - will this be taken into
> > account?
> 
> Oh, that's the first time I hear about this functionality. Could you provide
> me with an example how to submit an anonymous suggestion?

Take a look at the system preferences related to suggestions:
suggestion - on/off switch for suggestions in the OPAC
AllowPurchaseSuggestionBranchChoice - on/off for ability to select the branch
OPACViewOthersSuggestions - on/off for seeing ALL suggestions in the system
(without creators name)
AnonSuggestions - ability to make suggestions without logging in

> 
> > For DELETE:
> > DELETE /suggestions/{borrowernumber}/{suggestion_id}
> > Why include the borrowernumber? Would the suggestion_id not be sufficient?
> 
> It's because of the privileges check. Imagine some curious user in VuFind,
> who changes his suggestion_id in the form and tries to delete suggestion of
> someone else - this should prevent it and return 403 Forbidden.

I think if changing the URL is enough - we are doing something wrong :) Will
the permission check be so that guessing a borrowernumber will also not allow
to delete another user's suggestions?

-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.