Jonathan Druart
69c01ee0f2
The GET /pickup_locations route is requesting the whole reserveforothers permission whereas only the subpermission place_holds is needed. Test plan: 0. Don't apply this patch 1. Set the subpermission place_holds but modify_holds_priority 2. Edit a hold and click the pickup library dropdown list 3. You get a JS alert and log displays GET /api/v1/app.pl/api/v1/holds/5/pickup_locations 403 Forbidden 4. Apply this patch 5. Reload the page, click the dropdown list, modify the pickup location and save => Success! Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> |
||
---|---|---|
.. | ||
acquisitions_funds.json | ||
acquisitions_orders.json | ||
acquisitions_vendors.json | ||
advancededitormacros.json | ||
biblios.json | ||
checkouts.json | ||
circulation-rules.json | ||
cities.json | ||
clubs.json | ||
config_smtp_servers.json | ||
holds.json | ||
ill_backends.json | ||
illrequests.json | ||
import_batch_profiles.json | ||
items.json | ||
libraries.json | ||
oauth.json | ||
patrons.json | ||
patrons_account.json | ||
patrons_password.json | ||
public_patrons.json | ||
return_claims.json | ||
rotas.json |