[Koha-bugs] [Bug 26023] Incorrect permissions handling for cashup actions on the library level registers summary page
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Aug 14 13:33:05 CEST 2020
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26023
--- Comment #8 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
(In reply to Martin Renvoize from comment #2)
> Test Plan
> 1/ Setup some cash registers
> 2/ Login as a user with just the 'refund' permission
> 3/ Note that you can still access the 'Cashup registers' page from either
> 'Tools' or the left menu that appears on Point of Sale pages.
> 4/ Note that you do not see the 'Cashup' actions available
> 5/ Login as a user with the 'cashup' permission
> 6/ You should still be able to access the above page
> 7/ You should not see the cashup actions
> Bonus points
> 8/ Without the 'cashup' permission attempt to 'POST' a cashup action (copy a
> the URL for a cashup action that appears when you were logged in as a user
> with correction permissions, and paste it into the address bar once you are
> logged in as a user without the permission
> 9/ You should be displayed with the registers page with an error message
> appearing to state that the cashup action was not allowed to take place due
> to permissions deficiencies.
I have a bit of trouble following the test plan here:
1-4)
My user has catalog and refund permissions.
With the patch applied, this prevents me from accessing:
http://localhost:8081/cgi-bin/koha/pos/registers.pl
5-7)
If the user has cashup permission, should they not be able to see the cashup
actions? (typo)
So I cannot check for the actions not showing.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list