Most of the time when we search for patrons we do not want to search for all patrons,
but just the ones the logged in user is allowed to see the information.
This patch takes care of that by adding a new search_limited method to Koha::Patrons.
When called this method only search for patrons that the logged in user is allowed
to see.
Test plan:
Patron autocomplete search should be limited
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This is a follow-up for a previous patch, changes have been tested
already
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Do not allow a logged in staff user to modify patrons that are not part of his
group if he is not allowed.
Test plan:
Make sure you are not allowed to modify patrons that are not part of your group
from the batch patron modification tool
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Same that the previous patch but for the holds queue
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
On this page we do not have the patron object sent to the template,
let's pass it!
Test plan:
Go on the checkout history of a bibliographic record
(catalogue/issuehistory.pl)
You should not see patron's information that are not part of your group
if you
are not allowed to see them.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
There is already a HidePatronName syspref to hide patron's information
on bibliographic
record detail pages and the hold list.
Test plan:
With the HidePatronName enabled, make sure the patron's information are
hidden from
the catalogue and hold list pages. If the logged in user is not allowed
to see the
patron's info, no link and no cardnumber will be displayed
With he HidePatronName disabled, make sure the patron's information are
displayed
if the logged in user is allowed to see the patron's info.
Technical note:
This patch improves the existing patron-title.inc include file to
display patron's
information. Using it everywhere patron's details are displayed will
permit to
homogenise the way they are displayed. The file takes now a patron
object (what
should be, in the future, the only way to use it), that way we can call
the new
method on it to know if patron's information can be shown by the logged
in used.
NOTE: I am not sure this syspref makes sense anymore. Should not we
remove it?
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
From where patrons it's about patrons, we do not want to display the libraries
from all the system, but only the ones from the group.
Test plan:
- See the overdues (circ/overdue.pl) and make sure you can only see overdues from
patrons part of your group (do not forget to test the CSV export).
- Search for patrons, the 'library' filters (headers and left side) should only
display libraries from your group
- Search for article request by patron's library: only the libraries from your
group should be displayed
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patch modifies the patron search code to limit the libraries to the
ones
the logged in user is allowed to access
Test plan:
Search for patrons
You should not see patrons you are not allowed to see.
Technical note:
I am really glad to have refactored all the patron searches before
having to
write this patch. It tooks me ~40 l to acchieve this job and affect all
patron searches.
Thanks refactoring!
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist, you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch: "output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all the
different checks to know if the logged in user is authorised to see patron's information.
The design here can be discussed, but I did not find an alternative with as less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron we
want to access. That will be very useful to remove plenty of code in members/* and
only pass this variable to the template (instead of 1 variable per patron's attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test plan:
Login with a patron that only have the 'edit_borrowers' permission.
You should be able to access patron's information of patrons inside of your group.
Technical note:
Before this patchset the borrowers permission module contains only 1 permission 'edit_borrowers'.
That meant
borrowers => 1
and
borrowers => '*'
had the same behavior.
Moreover, now that we have 2 permissions, 'CAN_user_borrowers' is set when all
permissions of 'borrowers' are set.
We need to update the different occurrences of these tests.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Technical note:
This is the method that will be called on the logged_in_user variable sent to
the template. Moreover we will check that the logged in user can access patron'
information when access to members/* and some circulation scripts will be done.
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Technical note:
To ease future changes we are passing a logged_in_user variable to templates.
It contains the Koha::Patron object representing the logged in patron.
This will be very useful for this patch and even after (for instance we will be
able to replace easily loggedinusername and loggedinusernumber).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This is more a follow-up for bug 15707. It could be moved on its own bug report
if necessary.
IMPORTANT NOTE: At the moment the feature only works for 1 level depth, see
bug 15707 comment 166+ for the discussion
It means that if we have:
root_group
+ groupA
+ groupA1
+ groupA1_library2
+ groupA_library1
+ groupA2
+ groupB
+ groupB_library1
groupA1_library2 is not considered a child of groupA1.
Note that this can change.
Test plan:
prove t/db_dependent/LibraryGroups.t
should return green
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This is more a follow-up for bug 15707. It could be moved on its own bug report
if necessary.
Test plan:
prove t/db_dependent/LibraryGroups.t
should return green
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
This patchset adds a new feature that will allow libraries inside a
single Koha installation to restrict access to information of patrons
that
The group of libraries feature is introduced by bug 15707, see this bug for more
information.
Let's imagine that 2 groups G1 and G2 are defined and that they include 2 libraries
each G1a, G1b and G2c, G2d: logged in users attached to G1a will only see patron's
information from G1a and G1b.
To add more flexibility, a new user permission named 'view_borrower_infos_from_any_libraries'
will drive this behavior. If set, the patron will be able to see patron's information
of any libraries.
If the restriction is set, the logged in user will not be able to search, show, edit,
delete patron's information of patrons attached to groups of libraries outside his
own group.
In situations we need to refer to a patron, for holds and checkouts for instance,
and his information cannot be viewed, a text "A patron from library G1A" will be
displayed.
Considered unecessary or outside the scope of this bug report:
* The report module is not affected by this feature for obvious reasons
* The firstname and surname of guarantors, basket (acq) managers, patrons linked
to orders are still displayed.
* Log viewer: Can only be staff
* patron list: you cannot add patrons from another group of librairies, but can
see/delete from list (too much rewrite, or we can test for patron one by one?).
* "Patron card creator" tool is not impacted by this feature.
* Upload patron images is not impacted by this patch, should it be?
* Tools:
- Upload patrons
- Clean borrowers tool (This can can done easily updating Koha::Patrons->search
with Koha::Patrons->search_limited in search_upcoming_membership_expires and
search_patrons_to_anonymise but we will need to move GetBorrowersToExpunge to
Koha::Patrons first)
We can discuss these different points but will be other bug reports not to add
more complexity to this first patchset.
Test plan:
You will find a test plan in the following commit messages.
Start by creating different group of libraries and patrons with and without the
new permission. Open different browser sessions to ease the tests.
Note that all patches have to be applied to test the different test plans.
Technical notes:
For QAers (and others) a techical note will be added to the commit messages of this
patchset. I would recommend you to read them one by one to understand the different
steps of this development.
+ Special attention should be payed to the REST api changes
+ Should we restrict the logged in user to libraries from his group when
he wants to set his library (Home › Circulation › Set library)?
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan@ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Feature using it is completely undocumented as far as my research has
shown.
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Test Plan:
1) Apply this patch set
2) Note your existing search groups have been ported over to the new
__SEARCH_GROUPS__ group if you had any
3) Create the group __SEARCH_GROUPS__ if one does not already exist
4) Add some first level subgroups to this group, add libraries to those groups
5) Search the library group searching in the intranet and opac
6) Note you get the same results as pre-patch
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Josef Moravec <josef.moravec@gmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Edit: I added !$branchcode && to the checked condition so we can add multiple
libraries back.
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
1/ DROP table if exists
2/ FAIL spelling
decendents ==> descendants
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Mark Tompsett <mtompset@hotmail.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
To test:
Look up a borrower, add a message (internal or opac)
Click the Details tab for that borrower
Messages should be displayed above the user information [is this the right place? it could go below]
adding messages on this page should make them immediately available
deleting messages on this page should delete them immediately and bring you back to the detail page.
Basically, make sure messages work from both the Check out and detail pages and that there are no typos.
Messages should work the same as they always have from the Check Out page.
sponsored-by: Catalyst IT
Signed-off-by: Simon Pouchol <simon.pouchol@biblibre.com>
Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
Bug 19801 - Fixes for QA
- Fixes indentation
- changes messages to patron_messages (even though it's not like that on the circulation page.)
Signed-off-by: Marjorie Vila <marjorie.barry-vila@collecto.ca>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>
This patch modifies the "Close basket" button markup so that the title
attribute on a disabled button is added to the button wrapper <div>
instead of the <a> tag. This allows the title attribute tooltip to
appear when the cursor is hovered over the button.
To test, follow the original patch's test plan and confirm that when the
"Close basket" button is disabled, hovering the mouse over the button
triggers the title attribute tooltip.
Signed-off-by: Charlotte Cordwell <charlotte.cordwell123@gmail.com>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>