[Koha-bugs] [Bug 20707] Permissions for circ/ysearch.pl override specific page level permissions and delete sessions improperly
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri May 4 15:52:47 CEST 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20707
Nick Clemens <nick at bywatersolutions.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Permissions issue in |Permissions for
|placing holds - users are |circ/ysearch.pl override
|logged out |specific page level
| |permissions and delete
| |sessions improperly
--- Comment #1 from Nick Clemens <nick at bywatersolutions.com> ---
With Kyle's help we tracked this down:
when placing a hold if you trigger the autocomplete i.e. ysearch.pl you are
logged out as not having permissions
circ/ysearch requires circulate => '*'
whereas
request.pl requires reserveforothers => 'place_holds'
this is also true for course reserves - searching for an instructor will log
the user out unless they have circulate permissions.
tags-review uses it as well
I think the most straightforward route is to remove the circulate permission
check from ysearch and require simply catalogue.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list