[Koha-bugs] [Bug 23517] New: Incorrect permission requirements for holds operations via the API
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Wed Aug 28 20:40:07 CEST 2019
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23517
Bug ID: 23517
Summary: Incorrect permission requirements for holds operations
via the API
Change sponsored?: ---
Product: Koha
Version: master
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5 - low
Component: REST api
Assignee: koha-bugs at lists.koha-community.org
Reporter: oleonard at myacpl.org
CC: tomascohen at gmail.com
When using the staff client, the holds modification page requires
"reserveforothers => 'place_holds'" permission. This is the minimum required
permission to modify a hold's pickup location, suspended status, or to delete
it.
The API requires "reserveforothers" permission (both "place_holds" AND
"modify_holds_priority") to delete a hold. This means that operations which a
user could perform in the staff client are forbidden by the API.
Add and update operations are also problematic because of the granularity of
the sub-permissions:
- Someone with only "place_holds" permission should be able to add holds and
modify every aspect of the hold EXCEPT priority.
- Someone with only "modify_holds_priority" permission should be able to
modify only the priority of a hold (I guess??).
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list