Katrin Fischer
5dc3852308
Under certain circumstances the "Keep current" option on receive allows to receive order lines where the fund is otherwise not accessible to the user. In 22.11 the wrong value is used for the option, so that instead of the fund id the budget id is used, this can lead to an error 500 if there is no fund with this id or to a wrong fund being saved. To test: 1) Create budget and fund * With the sample data * Create a new budget "July 2023" * Create a new fund "Books" under it * Limit access to Owner and make yourself the owner 2) Create order * Create a basket * Create an order line with this access limited fund * Close the basket 3) Create a staff user with limited permissions * Edit or create another patron * Set catalogue and acq permissions without budget_manage_all and order_manage_all (no access to the fund) * Edit username and password 4) Receive, recreating the error * Log in as the second user in a separate browser * Receive shipment * Create invoice * Receive * You should see the fund under the "Keep current" heading selected * Add quantity received, save * Fund has changed to Fund_1_2 => data loss :( 5) Receive, verify fix * Create another order line with your privileged user and the "Books" fund * Repeat 4) * After receiving the fund should now remain unchanged Signed-off-by: Emily Lamancusa <emily.lamancusa@montgomerycountymd.gov> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> |
||
|---|---|---|
| .. | ||
| intranet-tmpl | ||
| opac-tmpl | ||