From 0df90fcc5a4f56bb5e880cf3f85cc0e7a35ab598 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 1 Dec 2020 11:44:04 +0100 Subject: [PATCH] Bug 27117: Only place_holds permission is needed to adjust pickup locations The GET /pickup_locations route is requesting the whole reserveforothers permission whereas only the subpermission place_holds is needed. Test plan: 0. Don't apply this patch 1. Set the subpermission place_holds but modify_holds_priority 2. Edit a hold and click the pickup library dropdown list 3. You get a JS alert and log displays GET /api/v1/app.pl/api/v1/holds/5/pickup_locations 403 Forbidden 4. Apply this patch 5. Reload the page, click the dropdown list, modify the pickup location and save => Success! Signed-off-by: Tomas Cohen Arazi Signed-off-by: Kyle M Hall Signed-off-by: Jonathan Druart (cherry picked from commit 69c01ee0f2dccd04cfbe8201ba580a15727f5280) Signed-off-by: Fridolin Somers (cherry picked from commit 05ba6b702e1e267ec110c83f0b3e133a023d7948) Signed-off-by: Andrew Fuerste-Henry --- api/v1/swagger/paths/holds.json | 2 +- t/db_dependent/api/v1/holds.t | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/api/v1/swagger/paths/holds.json b/api/v1/swagger/paths/holds.json index 7982be3e60..76d6e1ab9d 100644 --- a/api/v1/swagger/paths/holds.json +++ b/api/v1/swagger/paths/holds.json @@ -662,7 +662,7 @@ }, "x-koha-authorization": { "permissions": { - "reserveforothers": "1" + "reserveforothers": "place_holds" } } } diff --git a/t/db_dependent/api/v1/holds.t b/t/db_dependent/api/v1/holds.t index 156dc2fd40..4e7e2cfd29 100644 --- a/t/db_dependent/api/v1/holds.t +++ b/t/db_dependent/api/v1/holds.t @@ -690,11 +690,21 @@ subtest 'pickup_locations() tests' => sub { my $patron = $builder->build_object( { class => 'Koha::Patrons', - value => { userid => 'tomasito', flags => 1 } + value => { userid => 'tomasito', flags => 0 } } ); $patron->set_password( { password => $password, skip_validation => 1 } ); my $userid = $patron->userid; + $builder->build( + { + source => 'UserPermission', + value => { + borrowernumber => $patron->borrowernumber, + module_bit => 6, + code => 'place_holds', + }, + } + ); my $item_class = Test::MockModule->new('Koha::Item'); $item_class->mock( -- 2.39.5