Evergreen

Duplicate Metarecord holds can sometimes be successfully placed by users without CREATE_DUPLICATE_HOLDS permission

Bug #1821369 reported by Michele Morgan on 2019-03-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Undecided	Unassigned

Bug Description

A user without the CREATE_DUPLICATE_HOLDS permission can sometimes successfully place a duplicate metarecord hold even if the choices of language and format are the same. As an example, Two metarecord holds were successfully placed for the same user, the only difference between the two holds in action.hold_request is the holdable_formats field:

{"1":[{"_attr":"item_lang","_val":"eng"}],"0":[{"_val":"book","_attr":"mr_hold_format"}]}
{"1":[{"_val":"eng","_attr":"item_lang"}],"0":[{"_attr":"mr_hold_format","_val":"book"}]}

Holds.pm does the following comparison:

$sargs->{holdable_formats} = $hold->holdable_formats if $t eq 'M';

which does not see the above holdable_formats as a match.

Tags:

Dan Briem (dbriem) on 2021-10-15

tags:

added: circ-holds permissions
removed: holds

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.