Commit graph

20 commits

Author SHA1 Message Date
Katrin Fischer
b8a2365a34 Bug 11911: Add a separate permission for managing suggestions
Without this patch only catalogue permission was required
for managing suggestions. This patch adds a new permission
in the acquisition module do manage suggestions and updates
staff user permissions accordingly.

To test:
- Make sure there is a pending suggestion
- Create a few users with different permission sets:
  - User 1: only catalogue
  - User 2: any acquisition permission
  - User 3: cataloguing permission
- Check all of them can access: /cgi-bin/koha/suggestion/suggestion.pl
- Apply the patch
- Verify all of them now have the suggestions_manage permission
- Verify everything displays correctly on:
  - intranet start page
  - patron account in staff
  - acquisition start page
  - suggestion page (try to access by URL too)
- Remove suggestions_manage for a staff user
- Repeat tests above, access should be denied/links not visible

Bonus:
- Fixes the link on the acquisition start page for late orders
  to mage the permissions of the page itself: order_receive

Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-23 15:34:20 +00:00
Aleisha Amohia
4a3eaf02e2 Bug 17698: Make patron notes show up on staff dashboard
This patch adds a user permission for managing issue notes, and a 'noteseen'
column to the issues table.

To test:
1) Apply Bug 14224 first
2) Apply this patch, update database, rebuild schema.
3) Restart koha-common and memcached
4) Turn on AllowCheckoutNotes syspref if haven't already
5) Issue two items to two different users (one item each)
6) Log into the OPAC as one of the users and add an issue note to their
issue
7) Log out and log back into the OPAC as the other user
8) Disable Javascript
9) Refresh opac-user.pl
10) Leave a checkout note on their issue
11) Enable javascript and log into the Staff Client as a superlibrarian
user
12) Go to your user's account and edit their permissions to have
everything ticked EXCEPT circulate->manage checkout notes.
13) Go to main intranet page. There should be no message saying
'checkout notes pending'.
14) Go to circulation home page. There should be no link to Checkout notes.
15) Go back to user's permissions and tick circulate->manage checkout notes.
16) Go back to main intranet page. There should now be a message at the
bottom saying 'Checkout notes pending: 2'
17) Go to circulation home page. There should be a link to Checkout notes
with a 2 next to it. Click this link
18) Attempt to mark an checkout note as seen. This should update the status
of the checkout note to 'seen' and disable to 'mark as seen' button while
enabling the 'mark as not seen' button.
19) Test both buttons with both issues.
20) Test select all and clear all buttons
21) Confirm that buttons at the bottom are only enabled if a checkbox is
checked
22) Try selecting both issues and using the buttons at the bottom to
mark multiple issue notes at once.
23) Confirm the barcode link to the item works as expected.
24) Confirm the cardnumber link to the user works as expected.
25) Confirm all table details show correctly.

Sponsored-by: Catalyst IT

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: Remove self-checkout permissions

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-23 15:23:40 +00:00
Katrin Fischer
ff83c7acdc Bug 7651: Add a new permission for managing currencies and exchange rates
At the moment staff users need parameters or parameters_remaining_permissions
in order to be able to change exchange rates for acquisition orders.

This patch adds a new separate permission currencies_manage and
updates staff users currently having those permissions to get the
new permission as well.

To test:
- Create some staff users with different permission sets
  1) superlibrarian
  2) parameters
  3) parameters_remaining_permissions
  4) manage_circ_rules, but not parmeters_remaining_permissions
  5) all acquisition permissions
- Apply patch and run database update
- Verify new permission has been added and staff users updated
  1) remains the same
  2) + 3) will have currencies_manage
  4) remains unchanged, doesn't have new permission
  5) remains the same, will have access now because of having
     the top level acquisition permission
- Verify the changed pages work correctly:
  - navigation on admin home page
    NOTE: the acquisition parameters section will now honor all
    different related permissions (edi_manage, budget_manage,...)
  - navigation on acquisition home page
  - try to access currencies page directly

Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-07-18 17:45:21 +00:00
Katrin Fischer
870913b3c3 Bug 2426: Remove deprecated management permission
After review of the code it turns out that the management permission
that has been marked as deprecated a long time ago, does not have
any function.

The patch removes all remaining code related to it.

To test:
- Make sure you have a patron with the management permission
- Apply patch
- Run database update
- Check everything still works as expected

Bonus:
borrowers.flags is recalculated for patrons with management
permission.

To check:
- Create some 'permission twins' with and without management
  permission
- Note the value in borrowers.flags
- Apply patch, don't run database update
- Save permissions from GUI for one of the twins
- Note the newly calculated value
- Run database update
- Now both twins should have the same borrowers.flags value

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-08 12:17:25 +00:00
Katrin Fischer
819e6216e6 Bug 3849: Improve descriptions of granular acquisition permissions
The permissions for acquisitions were not very clearly described.
This patch changes the descriptions in the include file (GUI) and
in the default SQL.

To test:
- Go to any patron account in staff
- Go to more > permissions
- Verify that the meaning of each acquisition permission is clear
  from the description

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
2018-06-04 13:59:44 +00:00
Roch D'Amour
0f9ec12875 Bug 11317: Add a way to access files from the intranet
This squash contains all of these commits:
- Adds a page to access log files on the server from the intranet
- Update ID to allow for permalinking
- Rename config to "'accessdir' and fix qa
- Allows for multiple directories to be accessible
- Update the link under reports
- (Follow-up) Fixing merge error and cosmetic changes
- (Follow-up) Fix tab chars and move javascript to the footer
- (QA Follow-up) Fix datatable
- Make filename unicode-proof, renamed accessdir to access_dir and fix update

Test plans:
- Apply patch, update database
- Add to koha-conf:
<access_dir>/tmp/koha-public/one</access_dir>
<access_dir>/tmp/koha-public/two</access_dir>
<access_dir>/tmp/koha-public</access_dir>
- Create these directories ( mkdir /tmp/koha-public , etc...)
- Create these files:
echo "hello world!" > /tmp/koha-public/❤
echo "test" > /tmp/koha-public/one/samename.txt
echo "this is not the same" > /tmp/koha-public/two/samename.txt
- Login as Superadmin, go to tools > reports files
    - Click on ❤, make sure it's downloadable and readable
    - Click on both samename.txt, look inside and make sure the file is different
- Login as NON-superadmin. Go under tools, see no Report/Log under the third column
    - Go to add tools/access_file permission to user
    - See new entry under tools third column.
    - validate link is ok.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-05-03 13:26:49 -03:00
92b29b88c2 Bug 15492: New sysprefs and permissions
In order to make this module unrelated to the SCO module, this
patch introduces the following sysprefs:

- SelfCheckInMainUserBlock
- SelfCheckInModuleUserID
- SelfCheckInTimeout
- SelfCheckInUserCSS
- SelfCheckInUserJS

It also adds a new user flag and sub-permission:

- self_check => self_checkin_module

and moves the circulate => self_checkout permission into

- self_check => self_checkout_module

Descriptions are adjusted accordingly.

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-03-26 17:31:18 -03:00
95d0a17e8b Bug 18403: Hide patron information if not part of the logged in user library group
This patchset adds a new feature that will allow libraries inside a
single Koha installation to restrict access to information of patrons
that

The group of libraries feature is introduced by bug 15707, see this bug for more
information.

Let's imagine that 2 groups G1 and G2 are defined and that they include 2 libraries
each G1a, G1b and G2c, G2d: logged in users attached to G1a will only see patron's
information from G1a and G1b.
To add more flexibility, a new user permission named 'view_borrower_infos_from_any_libraries'
will drive this behavior. If set, the patron will be able to see patron's information
of any libraries.

If the restriction is set, the logged in user will not be able to search, show, edit,
delete patron's information of patrons attached to groups of libraries outside his
own group.
In situations we need to refer to a patron, for holds and checkouts for instance,
and his information cannot be viewed, a text "A patron from library G1A" will be
displayed.

Considered unecessary or outside the scope of this bug report:
* The report module is not affected by this feature for obvious reasons
* The firstname and surname of guarantors, basket (acq) managers, patrons linked
to orders are still displayed.
* Log viewer: Can only be staff
* patron list: you cannot add patrons from another group of librairies, but can
see/delete from list (too much rewrite, or we can test for patron one by one?).
* "Patron card creator" tool is not impacted by this feature.
* Upload patron images is not impacted by this patch, should it be?
* Tools:
  - Upload patrons
  - Clean borrowers tool (This can can done easily updating Koha::Patrons->search
with Koha::Patrons->search_limited in search_upcoming_membership_expires and
search_patrons_to_anonymise but we will need to move GetBorrowersToExpunge to
Koha::Patrons first)
We can discuss these different points but will be other bug reports not to add
more complexity to this first patchset.

Test plan:
You will find a test plan in the following commit messages.
Start by creating different group of libraries and patrons with and without the
new permission. Open different browser sessions to ease the tests.
Note that all patches have to be applied to test the different test plans.

Technical notes:
For QAers (and others) a techical note will be added to the commit messages of this
patchset. I would recommend you to read them one by one to understand the different
steps of this development.

+ Special attention should be payed to the REST api changes
+ Should we restrict the logged in user to libraries from his group when
he wants to set his library (Home › Circulation › Set library)?

Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2018-02-12 15:41:36 -03:00
Chris Weeks
e243c36db6 Bug 19510: Add description for edi_manage in acquistion permissions
Test Plan:
1/ Login
2/ Select patrons
3/ Search for a patron by name or card number that exists in the system
4/ Click More -> Set permissions
5/ Expand 'acquistions' and notice that 'edi_manage' has no description
6/ Apply patch
7/ Refresh the permissions page or repeat steps 2 to 5.
8/ Notice that 'edi_manage' now has a description of 'Manage EDIFACT transmissions'

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-12-19 11:13:12 -03:00
Alex Sassmannshausen
8e86b5e093 Bug 7317: Interlibrary loans framework for Koha.
This Commit is at the heart of adding an interlibrary loans framework
for Koha.  The framework does not prescribe a particular workflow.
Instead it provides a general framework that can be extended &
implemented by individual backends whose responsibility it is to
implement a specific workflow.

The module is largely self-sufficient: it adds new tables to the Koha
database and touches only a few files in the Koha source tree.

Primarily, we add our files to the Makefile and the koha-conf.xml,
define ill paths for the REST API, and introduce links from the main
intranet, opac pages & user permissions.

Outside of this we simply add new files & functionality.

Signed-off-by: Magnus Enger <magnus@libriotech.no>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Benjamin Rokseth <benjamin.rokseth@kul.oslo.kommune.no>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
2017-11-09 11:42:12 -03:00
95429af685 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-04-28 08:37:44 -04:00
Kyle M Hall
8255344215 Revert "Bug 12461 - Add patron clubs feature"
This reverts commit 4f1eefdbb8.

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2017-02-26 20:41:27 -05:00
4f1eefdbb8 Bug 12461 - Add patron clubs feature
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.

Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
   * Here you can add fields that can be filled out at the time
     a new club is created based on the template, or a new enrollment
     is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface

Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
2017-02-23 19:42:36 +00:00
Mark Tompsett
f56d6530bc Bug 16978: Add delete reports user permission
This splits off the delete capability from the create reports permission.
From a UI perspective there were CSS issues, that this patch set hackily
bypasses. Perhaps someone else can amend this enhancement with the required
changes so that the extra column at the beginning of the table can be
removed when the user does not have delete capability.

TEST PLAN
---------
1) back up db
2) apply patch
3) ./installer/data/mysql/updatedatabase.pl
   -- should run without issue.
4) in mysql:
   > drop database ...
   > create database ...
   -- totally blanks it for fresh web install
5) run web install
   -- installing should have no issues
6) go to a patron
7) set permissions
8) expand the reports permission
   -- should have delete reports now
9) click help and scroll down to
   'Granular Reports Permissions' right at the bottom.
   -- there should be a new delete_reports section
10) Head over to guided reports and build a few reports.
    -- as system account user, delete stuff should all be visible.
11) Find a patron, set all permissions, except delete reports.
12) log out and then log in as the modified patron
13) Head over the save reports
    -- none of the delete options should be available to the user.
14) run koha qa test tools
15) restore db

Followed test plan. Additionally tried to delete using params in URL
(not possible, OK)
Signed-off-by: Marc <veron@veron.ch>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-09-09 13:23:52 +00:00
Aleisha
5d3ea96e57 Bug 16454: Use 'inventory' instead of 'inventory/stocktaking'
To test:
1) Go to the tools home page. Confirm it says 'Inventory' instead of
   'Inventory/stocktaking' in heading and in description
2) Click Inventory. Confirm heading now says 'Inventory' instead of
   'Inventory/stocktaking'
3) Confirm that it now says 'Inventory' instead of
   'Inventory/stocktaking' in the tools menu along the left of the page
4) Click Help in top right corner. Confirm help heading now says
   'Inventory' instead of 'Inventory/stocktaking'
5) Go to user account page, go to Set Permissions
6) Expand Tools option and confirm it says 'inventory' instead of
   'inventory (stocktaking)'

Sponsored-by: Catalyst IT
Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-05-16 17:42:39 +00:00
49a3b581b7 Bug 14686: Add two granular permission for upload under tools
[1] Upload_general_files
    This will allow you to access the tools/upload form via the Tools menu.
    And it will also allow you to add permanent uploads.

[2] Upload_manage
    It will allow you to delete uploads from other users.
    Note that anyone may delete his own uploads.
    It is not meant to include upload_general_files.

In order to not disturb existing users that now have edit_catalogue and are
using the plugin (read: added at least one record to uploaded_files), we
will add the first permission for them. New users will need to be authorized
in the usual way thereafter.

Note: If you only have one of the other permissions checked in allows_add_by,
e.g. stage_marc_import, you can add temporary uploads, but not permanent
uploads.

Test plan:
We are only testing the dbrev here, not if the perm works as advertised.
[1] Run the dbrev and check that you see the perms with a description on
    the Patron/Set permissions page.
[2] If you had records in uploaded_files and a user with edit_catalogue
    *only*, verify that this user now also has upload_general_files.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
2016-04-27 16:14:17 +00:00
8814330439 Bug 15289 [QA Followup] - Fix minor language issue
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2015-12-30 02:51:50 +00:00
Alex Arnaud
eb5fca30aa Bug 15289 - borrowers permission allows to see patron's loans
Test plan:

 - log with a user that have "borrowers" permission but not "Remaining circulation permissions"
 - go to a borrower's detail page (who has at least a loan) and click on "show checkouts"
 - check that you see loan(s) and that you can't renew and checkin

 - Do the same with a borrower that have "Remaining circulation permissions"
 - check that you see loan(s) and that you can renew and checkin

Followed test plan. Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
2015-12-30 02:51:50 +00:00
Katrin Fischer
d78d6c87ea Bug 13632: QA follow-up: Tidy installer directories / update permissions.inc
- removes permission related text files from translated
  web installer directories
- updates the permissions.inc file to include the newest
  permission 'self_checkout'

Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:38:04 -03:00
8d70ea9487 Bug 13632: Use an include file to display permissions
This patch set moves the permissions' descriptions to the po files
instead of having them in the DB.

Test plan:
0/ Apply all patches
1/ Create a new installation
2/ Confirm the userflags and permissions tables are correctly populated
3/ Update the po file for a translated language
4/ Confirm you are able to translate the permissions descriptions
5/ Install the template files for this language
6/ Switch the interface to use this language and confirm the string are
correctly translated.

QA Note: At this point we could remove the userflags.flagdesc and
permissions.description DB fields, but I would prefer to keep them:
developers will know what the permission do without the need to go and
see the include file (we have it in the sql files and so, in the DB).

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:38:04 -03:00