Bug 26346: Add option to make public lists editable by all staff
If a staff member has access to the staff client (either because
'catalogue' permission is enabled or they're a superlibrarian
then that user can add items (from OPAC or staff client) to a list
marked 'Staff only'
Test plan:
1. In the staff client go to: Lists > 'New list'. Notice under 'Allow changes to contents
from' there are three options: Nobody, Owner only, Anyone seeing this
list
2. Apply first 3 patches and run updatedatabase.pl
cd installer/data/mysql
sudo koha-shell <instance>
./updatedatabase.pl
3. Restart memcached and plack
4. Create 4 patron accounts:
- User A : Superlibrarian permissions
- User B : 'Staff access, allows viewing of catalogue in staff interface
(catalogue)'
- User C : No permissions
- User D : 'Staff access, allows viewing of catalogue in staff
interface' and 'Lists' > Edit public lists (edit_public_lists)' sub-permission
5. Login to staff client as User A.
Create a public list and select the new 'Staff only' option under 'Allow changes to contents from'
6. Log into the staff client as User B.
Confirm you can add items to the list from the following staff client pages:
- Individual list page using the 'Add items' button
- Staff client search result page
- Staff client biblio detail page
7. Confirm you can remove items from the list
8. Confirm you can perform an OPAC search when not logged in
9. Log into the OPAC as User B. Confirm you can add items to the list
from the following OPAC pages:
- OPAC search result page
- OPAC biblio detail page
10. Log into the OPAC as User C. Do an OPAC search and confirm you
can view the list, but not add items to it
11. Login to the staff client as User B. Create a new list with the
following settings:
- 'Category'='Private',
- 'Allow changes to contents from'='Staff only'
Notice a red hint message is displayed.
Change 'Category'='Public' and notice the hint is removed
12. Log into the OPAC as User C. Notice the 'Staff only' option is not
available when creating a list
13. Log into the OPAC as User B. Repeat step 11. Confirm the same
outcome
14. Log into the staff client as User A. Create a list with the
following settings:
- Public = 'Public'
- Allow changes to contents from = 'owner only'
15. Log into the staff client as User D. Edit the list from step 14
confirm you can edit the list to have 'Allow changes to contents from' =
'Staff only'
16. Run Patron.t and Virtualshelves.t unit tests:
sudo koha-shell <instance>
prove t/db_dependent/Koha/Patron.t
prove t/db_dependent/Virtualshelves.t
Sponsored-by: Horowhenua District Council, New Zealand
Signed-off-by: Andrew Fuerste-Henry <andrew@bywatersolutions.com>
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
[% IF shelf.allow_change_from_others %]<option value="2" selected="selected">Anyone seeing this list</option>[% ELSE %]<option value="2">Anyone seeing this list</option>[% END %]
[% IF shelf.allow_change_from_staff %]<option value="3" selected="selected">Staff only</option>[% ELSE %]<option value="3">Staff only</option>[% END %]
</select>
  <span id="anyone_remark" style="display:none;color:red;">The Anyone permission has no actual effect while this list is strictly private.</span>
  <span id="staff_remark" style="display:none;color:red;">The Staff only permission has no actual effect while this list is strictly private.</span>
</li>
[% END %]
</head>
@ -801,16 +804,25 @@
if( perms < 2 ) {
$("#anyone_remark").hide();
$("#staff_remark").hide();
} else if( public==0 ) {
// If we move to Private (without shares), show Anyone remark
// Note: the number of shares is not tested real-time
[% IF shelf.allow_change_from_others %]<option value="2" selected="selected">Anyone seeing this list</option>[% ELSE %]<option value="2">Anyone seeing this list</option>[% END %]
[% IF staffuser == 1 %][% IF shelf.allow_change_from_staff %]<option value="3" selected="selected">Staff only</option>[% ELSE %]<option value="3">Staff only</option>[% END %][% END %]
</select>
  <span id="anyone_remark" style="display:none;color:red;">The "Anyone" permission has no actual effect while this list is strictly private.</span>
  <span id="staff_remark" style="display:none;color:red;">The "Staff only" permission has no actual effect while this list is strictly private.</span>
</li>
[% END %]
@ -1034,16 +1037,25 @@ function AdjustRemark() {
if( perms < 2 ) {
$("#anyone_remark").hide();
$("#staff_remark").hide();
} else if( public==0 ) {
// If we move to Private (without shares), show Anyone remark
// Note: the number of shares is not tested real-time
is($number_of_contents,3,'Back to three entries');
teardown();
};
subtest'Shelf permissions'=>sub{
plantests=>40;
plantests=>100;
my$patron1=$builder->build({source=>'Borrower',value=>{flags=>'2096766'}});# 2096766 is everything checked but not superlibrarian
my$patron2=$builder->build({source=>'Borrower',value=>{flags=>'1048190'}});# 1048190 is everything checked but not superlibrarian and delete_public_lists
my$patron3=$builder->build({source=>'Borrower',value=>{flags=>'0'}});# this is a patron with no special permissions
my$sth=$dbh->prepare("INSERT INTO user_permissions (borrowernumber, module_bit, code) VALUES (?,?,?)");
$sth->execute($patron4->{borrowernumber},20,'edit_public_lists');# $patron4 only has the edit_public_lists sub-permission checked
my$biblio1=$builder->build_sample_biblio;
my$biblio2=$builder->build_sample_biblio;
my$biblio3=$builder->build_sample_biblio;
my$biblio4=$builder->build_sample_biblio;
my$biblio5=$builder->build_sample_biblio;
my$public_shelf=Koha::Virtualshelf->new(
{shelfname=>"my first shelf",
@ -266,43 +285,62 @@ subtest 'Shelf permissions' => sub {
public=>1,
allow_change_from_owner=>0,
allow_change_from_others=>0,
allow_change_from_staff=>0,
}
)->store;
is($public_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view his public list');
is($public_shelf->can_be_viewed($patron2->{borrowernumber}),1,'Public list should be viewed by someone else');
is($public_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view their public list');
is($public_shelf->can_be_viewed($patron2->{borrowernumber}),1,'Public list should be viewed by another staff member');
is($public_shelf->can_be_viewed($patron3->{borrowernumber}),1,'Public list should be viewed by someone with no special permissions');
is($public_shelf->can_be_viewed($patron4->{borrowernumber}),1,'Public list should be viewed by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete his list');
is($public_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Public list should not be deleted by someone else');
is($public_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete their list');
is($public_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Public list should not be deleted by another staff member');
is($public_shelf->can_be_deleted($patron3->{borrowernumber}),0,'Public list should not be deleted by someone with no special permissions');
is($public_shelf->can_be_deleted($patron4->{borrowernumber}),0,'Public list should not be deleted by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage his list');
is($public_shelf->can_be_managed($patron2->{borrowernumber}),0,'Public list should not be managed by someone else');
is($public_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage their list');
is($public_shelf->can_be_managed($patron2->{borrowernumber}),0,'Public list should not be managed by another staff member');
is($public_shelf->can_be_managed($patron3->{borrowernumber}),0,'Public list should not be managed by someone with no special permissions');
is($public_shelf->can_be_managed($patron4->{borrowernumber}),1,'Public list should be managed by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_biblios_be_added($patron1->{borrowernumber}),0,'The owner should not be able to add biblios to their list');
is($public_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Public list should not be modified (add) by someone else');
is($public_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Public list should not be modified (add) by another staff member');
is($public_shelf->can_biblios_be_added($patron3->{borrowernumber}),0,'Public list should not be modified (add) by someone with no special permissions');
is($public_shelf->can_biblios_be_added($patron4->{borrowernumber}),0,'Public list should not be modified (add) by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_biblios_be_removed($patron1->{borrowernumber}),0,'The owner should not be able to remove biblios to their list');
is($public_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Public list should not be modified (remove) by someone else');
is($public_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Public list should not be modified (remove) by another staff member');
is($public_shelf->can_biblios_be_removed($patron3->{borrowernumber}),0,'Public list should not be modified (removed) by someone with no special permissions');
is($public_shelf->can_biblios_be_removed($patron4->{borrowernumber}),0,'Public list should not be modified (removed) by someone with the edit_public_lists sub-permission checked');
$public_shelf->allow_change_from_owner(1);
$public_shelf->store;
is($public_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view his public list');
is($public_shelf->can_be_viewed($patron2->{borrowernumber}),1,'Public list should be viewed by someone else');
is($public_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view their public list');
is($public_shelf->can_be_viewed($patron2->{borrowernumber}),1,'Public list should be viewed by staff member');
is($public_shelf->can_be_viewed($patron3->{borrowernumber}),1,'Public list should be viewed by someone with no special permissions');
is($public_shelf->can_be_viewed($patron4->{borrowernumber}),1,'Public list should be viewable by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete his list');
is($public_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Public list should not be deleted by someone else');
is($public_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete their list');
is($public_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Public list should not be deleted by another staff member');
is($public_shelf->can_be_deleted($patron3->{borrowernumber}),0,'Public list should not be deleted by someone with no special permissions');
is($public_shelf->can_be_deleted($patron4->{borrowernumber}),0,'Public list should not be deleted by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage his list');
is($public_shelf->can_be_managed($patron2->{borrowernumber}),0,'Public list should not be managed by someone else');
is($public_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage thier list');
is($public_shelf->can_be_managed($patron2->{borrowernumber}),0,'Public list should not be managed by another staff member');
is($public_shelf->can_be_managed($patron3->{borrowernumber}),0,'Public list should not be managed by someone with no special permissions');
is($public_shelf->can_be_managed($patron4->{borrowernumber}),1,'Public list should be managed by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_biblios_be_added($patron1->{borrowernumber}),1,'The owner should be able to add biblios to his list');
is($public_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Public list should not be modified (add) by someone else');
is($public_shelf->can_biblios_be_removed($patron1->{borrowernumber}),1,'The owner should be able to remove biblios to his list');
is($public_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Public list should not be modified (remove) by someone else');
is($public_shelf->can_biblios_be_added($patron1->{borrowernumber}),1,'The owner should be able to add biblios to their list');
is($public_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Public list should not be modified (add) by another staff member');
is($public_shelf->can_biblios_be_added($patron3->{borrowernumber}),0,'Public list should not be modified (add) by someone with no special permissions');
is($public_shelf->can_biblios_be_added($patron4->{borrowernumber}),0,'Public list should not be modified (add) by someone with the edit_public_lists sub-permission checked');
is($public_shelf->can_biblios_be_removed($patron1->{borrowernumber}),1,'The owner should be able to remove biblios to their list');
is($public_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Public list should not be modified (remove) by another staff member');
is($public_shelf->can_biblios_be_removed($patron3->{borrowernumber}),0,'Public list should not be modified (remove) by someone with no special permissions');
is($public_shelf->can_biblios_be_removed($patron4->{borrowernumber}),0,'Public list should not be modified (remove) by someone with the edit_public_list sub-permission checked');
my$private_shelf=Koha::Virtualshelf->new(
{shelfname=>"my first shelf",
@ -310,43 +348,92 @@ subtest 'Shelf permissions' => sub {
public=>0,
allow_change_from_owner=>0,
allow_change_from_others=>0,
allow_change_from_staff=>0,
}
)->store;
is($private_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view his list');
is($private_shelf->can_be_viewed($patron2->{borrowernumber}),0,'Private list should not be viewed by someone else');
is($private_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view their list');
is($private_shelf->can_be_viewed($patron2->{borrowernumber}),0,'Private list should not be viewed by another staff member');
is($private_shelf->can_be_viewed($patron3->{borrowernumber}),0,'Private list should not be viewed by someone with no special permissions');
is($private_shelf->can_be_viewed($patron4->{borrowernumber}),0,'Private list should not be viewed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete his list');
is($private_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Private list should not be deleted by someone else');
is($private_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete their list');
is($private_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Private list should not be deleted by another staff member');
is($private_shelf->can_be_deleted($patron3->{borrowernumber}),0,'Private list should not be deleted by someone with no special permissions');
is($private_shelf->can_be_deleted($patron4->{borrowernumber}),0,'Private list should not be deleted by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage his list');
is($private_shelf->can_be_managed($patron2->{borrowernumber}),0,'Private list should not be managed by someone else');
is($private_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage their list');
is($private_shelf->can_be_managed($patron2->{borrowernumber}),0,'Private list should not be managed by another staff member');
is($private_shelf->can_be_managed($patron3->{borrowernumber}),0,'Private list should not be managed by someone with no special permissions');
is($private_shelf->can_be_managed($patron4->{borrowernumber}),0,'Private list should not be managed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_added($patron1->{borrowernumber}),0,'The owner should not be able to add biblios to their list');
is($private_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Private list should not be modified (add) by someone else');
is($private_shelf->can_biblios_be_added($patron2->{borrowernumber}),0,'Private list should not be modified (add) by another staff member');
is($private_shelf->can_biblios_be_added($patron3->{borrowernumber}),0,'Private list should not be modified (add) by someone with no special permissions');
is($private_shelf->can_biblios_be_added($patron4->{borrowernumber}),0,'Private list should not be modified (add) by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_removed($patron1->{borrowernumber}),0,'The owner should not be able to remove biblios to their list');
is($private_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Private list should not be modified (remove) by someone else');
is($private_shelf->can_biblios_be_removed($patron2->{borrowernumber}),0,'Private list should not be modified (remove) by another staff member');
is($private_shelf->can_biblios_be_removed($patron3->{borrowernumber}),0,'Private list should not be modified (remove) by someone with no special permissions');
is($private_shelf->can_biblios_be_removed($patron4->{borrowernumber}),0,'Private list should not be modified (remove) by someone with the edit_public_lists sub-permissions');
$private_shelf->allow_change_from_owner(1);
$private_shelf->allow_change_from_staff(1);
$private_shelf->allow_change_from_others(0);
$private_shelf->store;
is($private_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view their list');
is($private_shelf->can_be_viewed($patron2->{borrowernumber}),0,'Private list should not be viewed by another staff member');
is($private_shelf->can_be_viewed($patron3->{borrowernumber}),0,'Private list should not be viewed by someone with no special permissions');
is($private_shelf->can_be_viewed($patron4->{borrowernumber}),0,'Private list should not be viewed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete their list');
is($private_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Private list should not be deleted by another staff member');
is($private_shelf->can_be_deleted($patron3->{borrowernumber}),0,'Private list should not be deleted by someone with no special permissions');
is($private_shelf->can_be_deleted($patron4->{borrowernumber}),0,'Private list should not be deleted by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage their list');
is($private_shelf->can_be_managed($patron2->{borrowernumber}),0,'Private list should not be managed by another staff member');
is($private_shelf->can_be_managed($patron3->{borrowernumber}),0,'Private list should not be managed by someone with no special permissions');
is($private_shelf->can_be_managed($patron4->{borrowernumber}),0,'Private list should not be managed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_added($patron1->{borrowernumber}),1,'The owner should be able to add biblios to their list');
is($private_shelf->can_biblios_be_added($patron2->{borrowernumber}),1,'Private list should not modified (add) by another staff member # individual check done later');
is($private_shelf->can_biblios_be_added($patron3->{borrowernumber}),0,'Private list should not be modified (add) by someone with no special permissions');
is($private_shelf->can_biblios_be_added($patron4->{borrowernumber}),0,'Private list should not be modified (add) by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_removed($patron1->{borrowernumber}),1,'The owner should be able to remove biblios to their list');
is($private_shelf->can_biblios_be_removed($patron2->{borrowernumber}),1,'Private list should be modified (remove) by another staff member # individual check done later');
is($private_shelf->can_biblios_be_removed($patron3->{borrowernumber}),0,'Private list should not be modified (remove) by someone with no special permissions');
is($private_shelf->can_biblios_be_removed($patron4->{borrowernumber}),0,'Private list should not be modified (remove) by someone with the edit_public_lists sub-permission checked');
$private_shelf->allow_change_from_owner(1);
$private_shelf->allow_change_from_others(1);
$private_shelf->store;
is($private_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view his list');
is($private_shelf->can_be_viewed($patron2->{borrowernumber}),0,'Private list should not be viewed by someone else');
is($private_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete his list');
is($private_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Private list should not be deleted by someone else');
is($private_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage his list');
is($private_shelf->can_be_managed($patron2->{borrowernumber}),0,'Private list should not be managed by someone else');
is($private_shelf->can_biblios_be_added($patron1->{borrowernumber}),1,'The owner should be able to add biblios to his list');
is($private_shelf->can_biblios_be_added($patron2->{borrowernumber}),1,'Private list could be modified (add) by someone else # individual check done later');
is($private_shelf->can_biblios_be_removed($patron1->{borrowernumber}),1,'The owner should be able to remove biblios to his list');
is($private_shelf->can_biblios_be_removed($patron2->{borrowernumber}),1,'Private list could be modified (remove) by someone else # individual check done later');
is($private_shelf->can_be_viewed($patron1->{borrowernumber}),1,'The owner should be able to view their list');
is($private_shelf->can_be_viewed($patron2->{borrowernumber}),0,'Private list should not be viewed by another staff member');
is($private_shelf->can_be_viewed($patron3->{borrowernumber}),0,'Private list should not be viewed by someone with no special permissions');
is($private_shelf->can_be_viewed($patron4->{borrowernumber}),0,'Private list should not be viewed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_deleted($patron1->{borrowernumber}),1,'The owner should be able to delete their list');
is($private_shelf->can_be_deleted($patron2->{borrowernumber}),0,'Private list should not be deleted by another staff member');
is($private_shelf->can_be_deleted($patron3->{borrowernumber}),0,'Private list should not be deleted by someone with no special permissions');
is($private_shelf->can_be_deleted($patron4->{borrowernumber}),0,'Private list should not be deleted by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_be_managed($patron1->{borrowernumber}),1,'The owner should be able to manage their list');
is($private_shelf->can_be_managed($patron2->{borrowernumber}),0,'Private list should not be managed by another staff member');
is($private_shelf->can_be_managed($patron3->{borrowernumber}),0,'Private list should not be managed by someone with no special permissions');
is($private_shelf->can_be_managed($patron4->{borrowernumber}),0,'Private list should not be managed by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_added($patron1->{borrowernumber}),1,'The owner should be able to add biblios to their list');
is($private_shelf->can_biblios_be_added($patron2->{borrowernumber}),1,'Private list could be modified (add) by another staff member # individual check done later');
is($private_shelf->can_biblios_be_added($patron3->{borrowernumber}),1,'Private list could be modified (add) by someone with no special permissions');
is($private_shelf->can_biblios_be_added($patron4->{borrowernumber}),1,'Private list could be modified (add) by someone with the edit_public_lists sub-permission checked');
is($private_shelf->can_biblios_be_removed($patron1->{borrowernumber}),1,'The owner should be able to remove biblios to their list');
is($private_shelf->can_biblios_be_removed($patron2->{borrowernumber}),1,'Private list could be modified (remove) by another staff member # individual check done later');
is($private_shelf->can_biblios_be_removed($patron3->{borrowernumber}),1,'Private list could be modified (remove) by someone with no special permissions');
is($private_shelf->can_biblios_be_removed($patron4->{borrowernumber}),1,'Private list could be modified (remove) by someone with the edit_public_lists sub-permission checked');