Jonathan Druart
69c01ee0f2
The GET /pickup_locations route is requesting the whole reserveforothers permission whereas only the subpermission place_holds is needed. Test plan: 0. Don't apply this patch 1. Set the subpermission place_holds but modify_holds_priority 2. Edit a hold and click the pickup library dropdown list 3. You get a JS alert and log displays GET /api/v1/app.pl/api/v1/holds/5/pickup_locations 403 Forbidden 4. Apply this patch 5. Reload the page, click the dropdown list, modify the pickup location and save => Success! Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> |
||
|---|---|---|
| .. | ||
| acquisitions_funds.json | ||
| acquisitions_orders.json | ||
| acquisitions_vendors.json | ||
| advancededitormacros.json | ||
| biblios.json | ||
| checkouts.json | ||
| circulation-rules.json | ||
| cities.json | ||
| clubs.json | ||
| config_smtp_servers.json | ||
| holds.json | ||
| ill_backends.json | ||
| illrequests.json | ||
| import_batch_profiles.json | ||
| items.json | ||
| libraries.json | ||
| oauth.json | ||
| patrons.json | ||
| patrons_account.json | ||
| patrons_password.json | ||
| public_patrons.json | ||
| return_claims.json | ||
| rotas.json | ||