Bug 36085: Only superlibrarians can protect patrons

A drive-by patch which hopes to resolve bug 36085 by only allowing superlibrarians to protect or unprotect patrons. Test plan: a) prepare two koha staff users: 1) a superlibrarian 2) a user that only has permission to edit patrons b) when logged in as the user prepared in step a2 (non-superlibrarian), then go to edit any patron *) note how you can set the protected yes/no radios c) apply the patch d) repeat steps a-b as this same user *) note how you can now no longer see the protected yes/no radios e) log in as the user prepared in step a1 (superlibrarian), then repeat steps a-b f) note how the protected yes/no radios are back Signed-off-by: Jan Kissig <jkissig@th-wildau.de> Signed-off-by: Paul Derscheid <paul.derscheid@lmscloud.de> Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
2024-07-18 12:01:44 +01:00 · 2024-07-18 12:01:44 +01:00 · 9d48763c77
commit 9d48763c77
parent be6e795b43
2 changed files with 5 additions and 1 deletions
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt
@ -1085,7 +1085,7 @@ legend.collapsed i.fa.fa-caret-down::before {
                                            </li>
                                        [% END %]

-                                        [% UNLESS noprotected %]
+                                        [% UNLESS noprotected || !CanUpdateProtectPatron %]
                                            <li class="radio">
                                                <label for="protected">Protected:</label>
                                                [% IF ( patron.protected == 1 ) %]
--- a/members/memberentry.pl
+++ b/members/memberentry.pl
@ -95,6 +95,7 @@ my $borrower_data;
 my $NoUpdateLogin;
 my $NoUpdateEmail;
 my $CanUpdatePasswordExpiration;
+my $CanUpdateProtectPatron;
 my $userenv = C4::Context->userenv;
 my @messages;

@ -172,6 +173,7 @@ if ( $op eq 'edit_form' or $op eq 'cud-save' or $op eq 'duplicate' ) {
    }
    if ($logged_in_user->is_superlibrarian) {
        $CanUpdatePasswordExpiration = 1;
+        $CanUpdateProtectPatron = 1;
    }

    $borrower_data = $patron->unblessed;
@ -233,6 +235,7 @@ if ( $op eq 'cud-insert' || $op eq 'edit_form' || $op eq 'cud-save' || $op eq 'd
        map { qr/^$_$/ }
        grep { $_ ne 'dateexpiry' } split( /\s*\|\s*/, C4::Context->preference('BorrowerUnwantedField') || q{} );
    push @keys_to_delete, qr/^password_expiration_date$/ unless $CanUpdatePasswordExpiration;
+    push @keys_to_delete, qr/^protected$/ unless $CanUpdateProtectPatron;
    for my $regexp (@keys_to_delete) {
        for (keys %newdata) {
            delete($newdata{$_}) if /$regexp/;
@ -805,6 +808,7 @@ $template->param(
  NoUpdateLogin =>  $NoUpdateLogin,
  NoUpdateEmail =>  $NoUpdateEmail,
  CanUpdatePasswordExpiration => $CanUpdatePasswordExpiration,
+  CanUpdateProtectPatron => $CanUpdateProtectPatron,
  );

 # HouseboundModule data