Browse Source

Bug 27117: Only place_holds permission is needed to adjust pickup locations

The GET /pickup_locations route is requesting the whole reserveforothers
permission whereas only the subpermission place_holds is needed.

Test plan:
0. Don't apply this patch
1. Set the subpermission place_holds but modify_holds_priority
2. Edit a hold and click the pickup library dropdown list
3. You get a JS alert and log displays
  GET /api/v1/app.pl/api/v1/holds/5/pickup_locations
  403 Forbidden
4. Apply this patch
5. Reload the page, click the dropdown list, modify the pickup location
and save
=> Success!

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
21.05.x
Jonathan Druart 1 year ago
parent
commit
69c01ee0f2
  1. 2
      api/v1/swagger/paths/holds.json
  2. 12
      t/db_dependent/api/v1/holds.t

2
api/v1/swagger/paths/holds.json

@ -672,7 +672,7 @@
},
"x-koha-authorization": {
"permissions": {
"reserveforothers": "1"
"reserveforothers": "place_holds"
}
}
}

12
t/db_dependent/api/v1/holds.t

@ -690,11 +690,21 @@ subtest 'pickup_locations() tests' => sub {
my $patron = $builder->build_object(
{
class => 'Koha::Patrons',
value => { userid => 'tomasito', flags => 1 }
value => { userid => 'tomasito', flags => 0 }
}
);
$patron->set_password( { password => $password, skip_validation => 1 } );
my $userid = $patron->userid;
$builder->build(
{
source => 'UserPermission',
value => {
borrowernumber => $patron->borrowernumber,
module_bit => 6,
code => 'place_holds',
},
}
);
my $item_class = Test::MockModule->new('Koha::Item');
$item_class->mock(

Loading…
Cancel
Save