Bug 30708: Do not allow non-authorised users to edit the settings

In case the logged in user does not have manage_sysprefs we should no
display the form in the settings.

Signed-off-by: Laurence Rault <laurence.rault@biblibre.com>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Koha/REST/V1/Preservation.pm

@@ -39,6 +39,7 @@ Return the configuration options needed for the Preservation Vue app
 
 sub config {
     my $c = shift->openapi->valid_input or return;
+    my $patron = $c->stash('koha.user');
     return $c->render(
         status  => 200,
         openapi => {
@@ -47,6 +48,9 @@ sub config {
                 not_for_loan_waiting_list_in  => C4::Context->preference('PreservationNotForLoanWaitingListIn'),
                 not_for_loan_default_train_in => C4::Context->preference('PreservationNotForLoanDefaultTrainIn'),
             },
+            permissions => {
+                'manage_sysprefs' => $patron->has_permission( { parameters => 'manage_sysprefs' } ) ? 1 : 0,
+            },
         },
     );
 }

api/v1/swagger/definitions/preservation_config.yaml

@@ -4,4 +4,7 @@ properties:
   settings:
     type: object
     description: List of sysprefs used for the Preservation module
+  permissions:
+    type: object
+    description: List of permissions of the logged in user used for the Preservation module
 additionalProperties: false

koha-tmpl/intranet-tmpl/prog/js/vue/components/Preservation/Settings.vue

@@ -5,7 +5,10 @@
             {{ $__("Edit preservation settings") }}
         </h2>
         <div>
-            <form @submit="onSubmit($event)">
+            <form
+                v-if="config.permissions.manage_sysprefs"
+                @submit="onSubmit($event)"
+            >
                 <fieldset class="rows">
                     <legend>{{ $__("General settings") }}</legend>
                     <ol>
@@ -72,6 +75,38 @@
                     >
                 </fieldset>
             </form>
+            <fieldset v-else class="rows">
+                <legend>{{ $__("General settings") }}</legend>
+                <ol>
+                    <li>
+                        <label for="not_for_loan_waiting_list_in"
+                            >{{
+                                $__("Status for item added to waiting list")
+                            }}:</label
+                        >
+                        <span>{{
+                            get_lib_from_av(
+                                "av_notforloan",
+                                config.settings.not_for_loan_waiting_list_in
+                            )
+                        }}</span>
+                    </li>
+                    <li>
+                        <label for="not_for_loan_default_train_in"
+                            >{{
+                                $__("Default status for item added to train")
+                            }}:</label
+                        >
+                        <span>{{
+                            get_lib_from_av(
+                                "av_notforloan",
+                                config.settings.not_for_loan_default_train_in
+                            )
+                        }}</span>
+                    </li>
+                </ol>
+            </fieldset>
+
             <SettingsProcessings />
         </div>
     </div>
@@ -87,12 +122,19 @@ export default {
     setup() {
         const AVStore = inject("AVStore")
         const { av_notforloan } = storeToRefs(AVStore)
+        const { get_lib_from_av } = AVStore
 
         const { setMessage, setWarning } = inject("mainStore")
         const PreservationStore = inject("PreservationStore")
         const { config } = PreservationStore
 
-        return { av_notforloan, setMessage, setWarning, config }
+        return {
+            av_notforloan,
+            get_lib_from_av,
+            setMessage,
+            setWarning,
+            config,
+        }
     },
     data() {
         return {