Bug 30780: Librarians with only "place_holds" permissions can not update holds data via REST API

This patch enables librarians with only "place_holds" permissions to cancel, suspend and resume holds via REST API. Test plan: 1) Try to cancel or suspend a hold with only "place_holds" permissions 2) See that it is forbidden. 3) Apply the patch 4) Cancel a hold again 5) The cancellation succeeds 6) prove t/db_dependent/api/v1/holds.t Sponsored-by: Koha-Suomi Oy Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> (cherry picked from commit 71a95d3557) Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
2022-05-17 08:58:15 +03:00 · 2022-05-17 08:58:15 +03:00 · c535da7219
commit c535da7219
parent 74318f7686
1 changed files with 3 additions and 3 deletions
--- a/api/v1/swagger/paths/holds.yaml
+++ b/api/v1/swagger/paths/holds.yaml
@ -401,7 +401,7 @@
          $ref: "../swagger.yaml#/definitions/error"
    x-koha-authorization:
      permissions:
-        reserveforothers: "1"
+        reserveforothers: place_holds
 "/holds/{hold_id}/priority":
  put:
    x-mojo-to: Holds#update_priority
@ -511,7 +511,7 @@
          $ref: "../swagger.yaml#/definitions/error"
    x-koha-authorization:
      permissions:
-        reserveforothers: "1"
+        reserveforothers: place_holds
  delete:
    x-mojo-to: Holds#resume
    operationId: resumeHold
@ -556,7 +556,7 @@
          $ref: "../swagger.yaml#/definitions/error"
    x-koha-authorization:
      permissions:
-        reserveforothers: "1"
+        reserveforothers: place_holds
 "/holds/{hold_id}/pickup_locations":
  get:
    x-mojo-to: Holds#pickup_locations