Jonathan Druart
69c01ee0f2
The GET /pickup_locations route is requesting the whole reserveforothers permission whereas only the subpermission place_holds is needed. Test plan: 0. Don't apply this patch 1. Set the subpermission place_holds but modify_holds_priority 2. Edit a hold and click the pickup library dropdown list 3. You get a JS alert and log displays GET /api/v1/app.pl/api/v1/holds/5/pickup_locations 403 Forbidden 4. Apply this patch 5. Reload the page, click the dropdown list, modify the pickup location and save => Success! Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org> |
||
|---|---|---|
| .. | ||
| acquisitions_funds.t | ||
| acquisitions_orders.t | ||
| acquisitions_vendors.t | ||
| advanced_editor_macros.t | ||
| auth.t | ||
| auth_authenticate_api_request.t | ||
| auth_basic.t | ||
| biblios.t | ||
| checkouts.t | ||
| cities.t | ||
| clubs_holds.t | ||
| holds.t | ||
| illrequests.t | ||
| import_batch_profiles.t | ||
| items.t | ||
| libraries.t | ||
| oauth.t | ||
| patrons.t | ||
| patrons_accounts.t | ||
| patrons_password.t | ||
| return_claims.t | ||
| smtp_servers.t | ||
| stockrotationstage.t | ||