Add new 'cashup' sub-permissions to the 'cash_management' permission to
allow fine grained control over whome may 'cashup' a cash register.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Bug 11911 replaced the permission of suggestions.pl (create a purchase
suggestion) from catalogue => 1 to acquisition => 'suggestions_manage'.
However we have a lot of acquisition scripts that have lax permissions
(acquisition => '*' which means any sub permissions of acquisition is
enough).
That causes problem when a circulation staff can create purchase
suggestions but not access acquisition information.
One solution is to move the suggestions_manage subpermission out of the
acquisition permission and create a new suggestion permission.
Test plan:
0. Setup
* Create a patron with several permission (and full acquisition
permission)
* Create another patron with several permission, and suggestions_manage
permission
* Create another patron without the suggestions_manage permission
1. Apply the patch and execute the update database entry
2. Note that the third patron you create still does not have
suggestions_manage
3. Confirm that you can create a purchase suggestion if you have
suggestions_manage, but cannot access acquisition pages if you do not
have any subpermissions of the acquisition permission
Signed-off-by: Hayley Mapley <hayleymapley@catalyst.net.nz>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
This patch moves the manage_cash_registers subpermission to the more
appropriate location under 'parameters'.
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Add a new subpermission called 'refund' to the 'updatecharges'
permission group which will allow/prevent refund actions to be
performed by staff.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Add a new subpermission called 'payout' to the 'updatecharges'
permission group which will allow/prevent payout actions to be performed
by staff.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
The manage_accounts permission was duly added to updatedatabase.pl, but
it was missed from userpermissions.sql.
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Move to admin
Add a permission
Remove descriptions from table
Clean up template
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
To test:
1 - Have three borrowers, one with order_manage permission, one with
edit_subscription permisson, andone with both
2 - Apply patch, updatedatabase
3 - Verify all three now have the manage_additional_fields permission
4 - Visit the admin page with these users, they should all see the
'Manage additional fields' link
5 - Click the link
6 - User with order_manage should see 'Order baskest'
7 - User with edit_subscription should see 'Subscriptions'
8 - User with both should see both
9 - Remove the additional permissions from a user - they should see a
note about needing additional permissions
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a separate permission for managing Mana KB.
To test, apply the patch and update the database.
- Open the permissions page for a patron with staff client privileges
- Confirm that there is a "Manage Mana KB content sharing
(manage_mana)" permission.
- Leaving this new permission unchecked, log into the staff client
with as that patron and go to the Administration home page.
- The "Using Mana-KB" link should not appear.
- Navigate directly to /cgi-bin/koha/admin/share_content.pl. You
should get a "permission denied" message.
- Modify the patron's permissions to grant them access to Mana KB.
- Confirm that the link now appears on the Administration home
page and that the user can access the page.
Signed-off-by: Maryse Simard <maryse.simard@inlibro.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The typo in the installer files will cause problems on new
installations as the code for the permission is wrong.
This means that on new installations the Did you mean? section
on the administration page won't show up.
In order to fix this, we need to correct the code in
permissions, but also the permissions for users who
this permission has been given to.
To test:
- Start without the patch
- Use a new installation with the permission typo
- Log in as superlibrarian
- Verify that the "did you mean?" configuration page
is not visible
- Create another staff user with permission to access
staff and manage_didyoumean checked
- Verify configuration page remains invisible
- Apply patch and run database update
- Check both users again, the config page should now sohw
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Since this patch has been written, new references to this
permission have been added to the code:
- t/db_dependent/api/v1/stockrotationstage.t
- t/db_dependent/api/v1/cities.t
- admin/overdrive.pl
Instead of removing the permission, let's keep it for now
and do more clean-up later in separate patches if required.
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
So far the administration module only allowed for 2 permissions:
- circulation conditions (manage_circ_rules)
- everything else (parameters_remaining_permissions)
With this patch almost every section of the administration page
will have its own granular permission.
To test:
- Create different staff users:
1) One with parameters_remaining_permissions
2) One with parameters
3) One with catalogue and no parameters
4) One superlibrarian
- Apply the patch
- Run the database update
- Check the staff users:
1) All subpermissions, but manage_circ_rules
should be checked
2) Nothing should have changed
3) manage_item_serach_fields shoudl be checked
(page had catalogue permission before)
4) Nothing should have changed
- Try different settings of the permissions and
verify that
- Administration page behaves correctly
- Administration menu behaves correctly
! You shoudl only see what you have permission for
https://bugs.koha-community.org/show_bug.cgi?id=14391
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Lisette Scheer <lisetteslatah@gmail.com>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Test plan:
1) Ensure that you have four users:
a) A superlibrarian
b) A user with all `parameters` permissions (the toplevel `parameters`
box is checked).
c) A user with the `manage_circ_rules` permission (and, of course,
`catalogue`).
d) A user with the `manage_circ_rules`, `manage_circ_rules_restricted`
and `catalogue` permissions.
2) As all four users, load the "Circulation and fine rules"
administration page (admin/smart-rules.pl).
3) The page should be unchanged for the first three users. It should be
possible to view and edit the circ rules for all libraries.
4) The last (restricted) user should only be able to view and edit the
circ rules for their own library.
Amended by JD: In a second version of this patch
manage_circ_rules_restricted has been replaced by
manage_circ_rules_from_any_libraries and 'no_inherit' related code has
been removed
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Without this patch only catalogue permission was required
for managing suggestions. This patch adds a new permission
in the acquisition module do manage suggestions and updates
staff user permissions accordingly.
To test:
- Make sure there is a pending suggestion
- Create a few users with different permission sets:
- User 1: only catalogue
- User 2: any acquisition permission
- User 3: cataloguing permission
- Check all of them can access: /cgi-bin/koha/suggestion/suggestion.pl
- Apply the patch
- Verify all of them now have the suggestions_manage permission
- Verify everything displays correctly on:
- intranet start page
- patron account in staff
- acquisition start page
- suggestion page (try to access by URL too)
- Remove suggestions_manage for a staff user
- Repeat tests above, access should be denied/links not visible
Bonus:
- Fixes the link on the acquisition start page for late orders
to mage the permissions of the page itself: order_receive
Signed-off-by: Séverine QUEUNE <severine.queune@bulac.fr>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Fixing the comments in Comment 42
Ready to test
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This patch adds a user permission for managing issue notes, and a 'noteseen'
column to the issues table.
To test:
1) Apply Bug 14224 first
2) Apply this patch, update database, rebuild schema.
3) Restart koha-common and memcached
4) Turn on AllowCheckoutNotes syspref if haven't already
5) Issue two items to two different users (one item each)
6) Log into the OPAC as one of the users and add an issue note to their
issue
7) Log out and log back into the OPAC as the other user
8) Disable Javascript
9) Refresh opac-user.pl
10) Leave a checkout note on their issue
11) Enable javascript and log into the Staff Client as a superlibrarian
user
12) Go to your user's account and edit their permissions to have
everything ticked EXCEPT circulate->manage checkout notes.
13) Go to main intranet page. There should be no message saying
'checkout notes pending'.
14) Go to circulation home page. There should be no link to Checkout notes.
15) Go back to user's permissions and tick circulate->manage checkout notes.
16) Go back to main intranet page. There should now be a message at the
bottom saying 'Checkout notes pending: 2'
17) Go to circulation home page. There should be a link to Checkout notes
with a 2 next to it. Click this link
18) Attempt to mark an checkout note as seen. This should update the status
of the checkout note to 'seen' and disable to 'mark as seen' button while
enabling the 'mark as not seen' button.
19) Test both buttons with both issues.
20) Test select all and clear all buttons
21) Confirm that buttons at the bottom are only enabled if a checkbox is
checked
22) Try selecting both issues and using the buttons at the bottom to
mark multiple issue notes at once.
23) Confirm the barcode link to the item works as expected.
24) Confirm the cardnumber link to the user works as expected.
25) Confirm all table details show correctly.
Sponsored-by: Catalyst IT
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Followed test plan, works as expected
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Brendan Gallagher <brendan@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Amended patch: Remove self-checkout permissions
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
At the moment staff users need parameters or parameters_remaining_permissions
in order to be able to change exchange rates for acquisition orders.
This patch adds a new separate permission currencies_manage and
updates staff users currently having those permissions to get the
new permission as well.
To test:
- Create some staff users with different permission sets
1) superlibrarian
2) parameters
3) parameters_remaining_permissions
4) manage_circ_rules, but not parmeters_remaining_permissions
5) all acquisition permissions
- Apply patch and run database update
- Verify new permission has been added and staff users updated
1) remains the same
2) + 3) will have currencies_manage
4) remains unchanged, doesn't have new permission
5) remains the same, will have access now because of having
the top level acquisition permission
- Verify the changed pages work correctly:
- navigation on admin home page
NOTE: the acquisition parameters section will now honor all
different related permissions (edi_manage, budget_manage,...)
- navigation on acquisition home page
- try to access currencies page directly
Signed-off-by: Charles Farmer <charles.farmer@inLibro.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
The permissions for acquisitions were not very clearly described.
This patch changes the descriptions in the include file (GUI) and
in the default SQL.
To test:
- Go to any patron account in staff
- Go to more > permissions
- Verify that the meaning of each acquisition permission is clear
from the description
Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This squash contains all of these commits:
- Adds a page to access log files on the server from the intranet
- Update ID to allow for permalinking
- Rename config to "'accessdir' and fix qa
- Allows for multiple directories to be accessible
- Update the link under reports
- (Follow-up) Fixing merge error and cosmetic changes
- (Follow-up) Fix tab chars and move javascript to the footer
- (QA Follow-up) Fix datatable
- Make filename unicode-proof, renamed accessdir to access_dir and fix update
Test plans:
- Apply patch, update database
- Add to koha-conf:
<access_dir>/tmp/koha-public/one</access_dir>
<access_dir>/tmp/koha-public/two</access_dir>
<access_dir>/tmp/koha-public</access_dir>
- Create these directories ( mkdir /tmp/koha-public , etc...)
- Create these files:
echo "hello world!" > /tmp/koha-public/❤
echo "test" > /tmp/koha-public/one/samename.txt
echo "this is not the same" > /tmp/koha-public/two/samename.txt
- Login as Superadmin, go to tools > reports files
- Click on ❤, make sure it's downloadable and readable
- Click on both samename.txt, look inside and make sure the file is different
- Login as NON-superadmin. Go under tools, see no Report/Log under the third column
- Go to add tools/access_file permission to user
- See new entry under tools third column.
- validate link is ok.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
In order to make this module unrelated to the SCO module, this
patch introduces the following sysprefs:
- SelfCheckInMainUserBlock
- SelfCheckInModuleUserID
- SelfCheckInTimeout
- SelfCheckInUserCSS
- SelfCheckInUserJS
It also adds a new user flag and sub-permission:
- self_check => self_checkin_module
and moves the circulate => self_checkout permission into
- self_check => self_checkout_module
Descriptions are adjusted accordingly.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patchset adds a new feature that will allow libraries inside a
single Koha installation to restrict access to information of patrons
that
The group of libraries feature is introduced by bug 15707, see this bug for more
information.
Let's imagine that 2 groups G1 and G2 are defined and that they include 2 libraries
each G1a, G1b and G2c, G2d: logged in users attached to G1a will only see patron's
information from G1a and G1b.
To add more flexibility, a new user permission named 'view_borrower_infos_from_any_libraries'
will drive this behavior. If set, the patron will be able to see patron's information
of any libraries.
If the restriction is set, the logged in user will not be able to search, show, edit,
delete patron's information of patrons attached to groups of libraries outside his
own group.
In situations we need to refer to a patron, for holds and checkouts for instance,
and his information cannot be viewed, a text "A patron from library G1A" will be
displayed.
Considered unecessary or outside the scope of this bug report:
* The report module is not affected by this feature for obvious reasons
* The firstname and surname of guarantors, basket (acq) managers, patrons linked
to orders are still displayed.
* Log viewer: Can only be staff
* patron list: you cannot add patrons from another group of librairies, but can
see/delete from list (too much rewrite, or we can test for patron one by one?).
* "Patron card creator" tool is not impacted by this feature.
* Upload patron images is not impacted by this patch, should it be?
* Tools:
- Upload patrons
- Clean borrowers tool (This can can done easily updating Koha::Patrons->search
with Koha::Patrons->search_limited in search_upcoming_membership_expires and
search_patrons_to_anonymise but we will need to move GetBorrowersToExpunge to
Koha::Patrons first)
We can discuss these different points but will be other bug reports not to add
more complexity to this first patchset.
Test plan:
You will find a test plan in the following commit messages.
Start by creating different group of libraries and patrons with and without the
new permission. Open different browser sessions to ease the tests.
Note that all patches have to be applied to test the different test plans.
Technical notes:
For QAers (and others) a techical note will be added to the commit messages of this
patchset. I would recommend you to read them one by one to understand the different
steps of this development.
+ Special attention should be payed to the REST api changes
+ Should we restrict the logged in user to libraries from his group when
he wants to set his library (Home › Circulation › Set library)?
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
* Here you can add fields that can be filled out at the time
a new club is created based on the template, or a new enrollment
is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This features would add the ability to create clubs which patrons may be
enrolled in. It would be particularly useful for tracking summer reading
programs, book clubs and other such clubs.
Test Plan:
1) Apply this patch
2) Run updatedatabase.pl
3) Ensure your staff user has the new 'Patron clubs' permissions
4) Under the tools menu, click the "Patron clubs" link
5) Create a new club template
* Here you can add fields that can be filled out at the time
a new club is created based on the template, or a new enrollment
is created for a given club based on the template.
6) Create a new club based on that template
7) Attempt to enroll a patron in that club
8) Create a club with email required set
9) Attempt to enroll a patron without an email address in that club
10) Create a club that is enrollable from the OPAC
11) Attempt to enroll a patron in that club
12) Attempt to cancel a club enrollment from the OPAC
13) Attempt to cancel a club enrollment from the staff interface
Followed test plan, works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>
Bug 14686 added in a dbrev:
(13, 'upload_general_files', 'Upload any file'),
(13, 'upload_manage', 'Manage uploaded files');
But these were not added in userpermissions.sql somehow :)
So, what now?
This patch:
[1] adds them to userpermissions.sql as should have been done,
[2] adds a dbrev to add them for newer installs that did not run the
14686 dbrev.
Test plan:
[1] Run this sql statement:
DELETE FROM permissions WHERE code = 'upload_general_files' OR
code = 'upload_manage'
[2] Run the db rev.
[3] Check if you see Tools/Upload (with sufficient perms).
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
This splits off the delete capability from the create reports permission.
From a UI perspective there were CSS issues, that this patch set hackily
bypasses. Perhaps someone else can amend this enhancement with the required
changes so that the extra column at the beginning of the table can be
removed when the user does not have delete capability.
TEST PLAN
---------
1) back up db
2) apply patch
3) ./installer/data/mysql/updatedatabase.pl
-- should run without issue.
4) in mysql:
> drop database ...
> create database ...
-- totally blanks it for fresh web install
5) run web install
-- installing should have no issues
6) go to a patron
7) set permissions
8) expand the reports permission
-- should have delete reports now
9) click help and scroll down to
'Granular Reports Permissions' right at the bottom.
-- there should be a new delete_reports section
10) Head over to guided reports and build a few reports.
-- as system account user, delete stuff should all be visible.
11) Find a patron, set all permissions, except delete reports.
12) log out and then log in as the modified patron
13) Head over the save reports
-- none of the delete options should be available to the user.
14) run koha qa test tools
15) restore db
Followed test plan. Additionally tried to delete using params in URL
(not possible, OK)
Signed-off-by: Marc <veron@veron.ch>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Add support for processing incoming Edifact Quotes, Invoices
and order responses and generating and transmission of
Edifact Orders.
Basic workflow is that an incoming quote generates an aquisition
basket in Koha, with each line corresponding to an order record
The user can then generate an edifact order from this (or another)
basket, which is transferred to the vendor's site
The supplier generates an invoice on despatch and this will
result in corresponding invoices being generated in Koha
The orderlines on the invoice are receipted automatically.
We also support order response messages. This may include
simple order acknowledgements, supplier reports/amendments
on availability. Cancellation messages cause the koha order
to be cancelled, other messages are recorded against the order
Which messages are to be supported/processed is specifiable on a
vendor by vendor basis via the admin screens
You can also specify auto order i.e. to generate orders from quotes
without user intervention - This reflects existing
workflows where most work is done on the suppliers website
then generating a dummy quote
Received messages are stored in the edifact_messages table
and the original can be viewed via the online
Database changes are in installer/data/mysql/atomicchanges/edifact.sql
Note new perl dependencies:
Net::SFTP:Foreign
Text::Unidecode
Signed-off-by: Paul Johnson <p.johnson@staffs.ac.uk>
Signed-off-by: Sally Healey <sally.healey@cheshiresharedservices.gov.uk>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>
Move the 2 specific 'en' files outside of the language directory.
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
2015-10-19 09:38:04 -03:00
Renamed from installer/data/mysql/en/mandatory/userpermissions.sql (Browse further)
