This patch just fixes a missing permission on the intranet main page. Currently, the Additional Content modules allows people to edit, modify or create new additional content just by checking if they have any tool permission at all, and not the right one.
To test:
1 - From the staff client, create a news article for the intranet.
2 - Create (or use) an additional staff patron, giving them the necessary permissions to access the intranet, but no tool permission.
3 - Using another browser (or incognito mode), log on the intranet page with your new staff account, you should be able to see the news content, but not edit or delete it. That's the expected behavior.
4 - From your main admin account, give your test account the edit_additional_contents permission.
5 - Your test account should now be able to edit/delete the news content. This is also expected behavior.
6 - Using the main account again, remove this time the edit_additional_contents but add any other subtool permission (edit_calendar is a good one for instance)
7 - Repeat step 5 and confirm that your test account can still edit or delete the news content. This shouldn't happen.
8 - Apply patch
9 - Repeat steps 4-6, and confirm that your test account can now only edit or delete news content if they have the edit_additional_contents permission enabled.
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Signed-off-by: Tomas Cohen Arazi <tomascohen@theke.io>
(cherry picked from commit e3faa4d66b)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
692c054a73
