https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27947
Martin Renvoize <martin.renvo...@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com Status|Signed Off |Failed QA --- Comment #39 from Martin Renvoize <martin.renvo...@ptfs-europe.com> --- Sorry guys.. little more needed here. My first followup drops the 'reserveforothers' permission requirement as I don't think that relates to this functionality.. but it makes the API tests fail.. and I can't see why.. code blind on a Friday. My second followup highlights an issue with the public route. Although moving the route under /public/patrons/{patron_id} ensure we do a patron identity check.. there isn't actually a later check anywhere that the article your trying to delete actually belongs to the patron ;) This final one is actually why I preferred the original /article_requests/{request_id} approach.. though of course that would require the addition of a routine to handle checking borrowernumber in the article request against the user as per the other routines for checking allow-owner. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/