From f0c60dfe6f53ef32b2046fdfd1e0732e1d89dd95 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 14 Jan 2020 10:02:11 +0100 Subject: [PATCH] Bug 22868: Move suggestions_manage subperm out of acquisition perm Bug 11911 replaced the permission of suggestions.pl (create a purchase suggestion) from catalogue => 1 to acquisition => 'suggestions_manage'. However we have a lot of acquisition scripts that have lax permissions (acquisition => '*' which means any sub permissions of acquisition is enough). That causes problem when a circulation staff can create purchase suggestions but not access acquisition information. One solution is to move the suggestions_manage subpermission out of the acquisition permission and create a new suggestion permission. Test plan: 0. Setup * Create a patron with several permission (and full acquisition permission) * Create another patron with several permission, and suggestions_manage permission * Create another patron without the suggestions_manage permission 1. Apply the patch and execute the update database entry 2. Note that the third patron you create still does not have suggestions_manage 3. Confirm that you can create a purchase suggestion if you have suggestions_manage, but cannot access acquisition pages if you do not have any subpermissions of the acquisition permission Signed-off-by: Hayley Mapley Signed-off-by: Katrin Fischer Signed-off-by: Martin Renvoize Signed-off-by: Joy Nelson (cherry picked from commit 462db680242b4a6cbfb82b3469ebec8912e69af3) Signed-off-by: Lucas Gass --- .../data/mysql/atomicupdate/bug_22868.perl | 19 +++++++++++++++++++ installer/data/mysql/userflags.sql | 3 ++- installer/data/mysql/userpermissions.sql | 2 +- .../prog/en/includes/acquisitions-menu.inc | 2 +- .../prog/en/includes/circ-menu.inc | 2 +- .../prog/en/includes/permissions.inc | 5 ++++- .../prog/en/modules/acqui/acqui-home.tt | 2 +- .../prog/en/modules/intranet-main.tt | 2 +- members/purchase-suggestions.pl | 2 +- suggestion/suggestion.pl | 2 +- 10 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 installer/data/mysql/atomicupdate/bug_22868.perl diff --git a/installer/data/mysql/atomicupdate/bug_22868.perl b/installer/data/mysql/atomicupdate/bug_22868.perl new file mode 100644 index 0000000000..ab4853dc45 --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_22868.perl @@ -0,0 +1,19 @@ +$DBversion = 'XXX'; # will be replaced by the RM +if( CheckVersion( $DBversion ) ) { + $dbh->do(q{ + INSERT IGNORE INTO `userflags` (`bit`, `flag`, `flagdesc`, `defaulton`) + VALUES (12, 'suggestions', 'Suggestion management', 0) + }); + + $dbh->do(q{ + UPDATE permissions SET module_bit=12 + WHERE code="suggestions_manage" + }); + + $dbh->do(q{ + UPDATE borrowers SET flags = flags + (1<<12) WHERE flags & (1 << 11) + }); + + SetVersion( $DBversion ); + print "Upgrade to $DBversion done (Bug 22868 - Move suggestions_manage subpermission out of acquisition permission)\n"; +} diff --git a/installer/data/mysql/userflags.sql b/installer/data/mysql/userflags.sql index 68235994c5..817e91a870 100644 --- a/installer/data/mysql/userflags.sql +++ b/installer/data/mysql/userflags.sql @@ -8,7 +8,8 @@ INSERT INTO userflags (bit, flag, flagdesc, defaulton) VALUES (6,'reserveforothers','Place and modify holds for patrons',0), (9,'editcatalogue','Edit catalog (Modify bibliographic/holdings data)',0), (10,'updatecharges','Manage patrons fines and fees',0), -(11,'acquisition','Acquisition and/or suggestion management',0), +(11,'acquisition','Acquisition management',0), +(12,'suggestions','Suggestion management',0), (13,'tools','Use all tools (expand for granular tools permissions)',0), (14,'editauthorities','Edit authorities',0), (15,'serials','Manage serial subscriptions',0), diff --git a/installer/data/mysql/userpermissions.sql b/installer/data/mysql/userpermissions.sql index 911b81fab6..6925e11e4b 100644 --- a/installer/data/mysql/userpermissions.sql +++ b/installer/data/mysql/userpermissions.sql @@ -46,7 +46,6 @@ INSERT INTO permissions (module_bit, code, description) VALUES (10, 'writeoff', 'Write off fines and fees'), (10, 'remaining_permissions', 'Remaining permissions for managing fines and fees'), (11, 'currencies_manage', 'Manage currencies and exchange rates'), - (11, 'suggestions_manage', 'Manage purchase suggestions'), (11, 'vendors_manage', 'Manage vendors'), (11, 'contracts_manage', 'Manage contracts'), (11, 'period_manage', 'Manage budgets'), @@ -60,6 +59,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES (11, 'budget_add_del', 'Add and delete funds (but can''t modify funds)'), (11, 'budget_manage_all', 'Manage all funds'), (11, 'edi_manage', 'Manage EDIFACT transmissions'), + (12, 'suggestions_manage', 'Manage purchase suggestions'), (13, 'edit_news', 'Write news for the OPAC and staff interfaces'), (13, 'label_creator', 'Create printable labels and barcodes from catalog and patron data'), (13, 'edit_calendar', 'Define days when the library is closed'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-menu.inc index f5ef2e4579..de132ec66f 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-menu.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/acquisitions-menu.inc @@ -4,7 +4,7 @@
  • Acquisitions home
  • [% IF ( CAN_user_acquisition_order_receive ) %]
  • Late orders
  • [% END %] - [% IF ( suggestion && CAN_user_acquisition_suggestions_manage ) %]
  • Suggestions
  • [% END %] + [% IF ( suggestion && CAN_user_suggestions_suggestions_manage ) %]
  • Suggestions
  • [% END %]
  • Invoices
  • [% IF CAN_user_acquisition_edi_manage %]
  • EDIFACT messages
  • diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc index a79a55f38f..a8328bca4a 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/circ-menu.inc @@ -122,7 +122,7 @@ [% END %] [% END %] - [% IF CAN_user_acquisition_suggestions_manage %] + [% IF CAN_user_suggestions_suggestions_manage %] [% IF ( suggestionsview ) %]
  • [% ELSE %]
  • [% END %]Purchase suggestions
  • [% END %] [% IF CAN_user_borrowers_edit_borrowers && useDischarge %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc index 9cd9b05e45..208e82e441 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc @@ -28,7 +28,10 @@ Manage patrons fines and fees ([% name | html %]) [%- CASE 'acquisition' -%] - Acquisition and/or suggestion management + Acquisition management + ([% name | html %]) + [%- CASE 'suggestions' -%] + Suggestions management ([% name | html %]) [%- CASE 'tools' -%] Use all tools (expand for granular tools permissions) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/acqui-home.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/acqui-home.tt index f20c54c1aa..83dc7e30d1 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/acqui-home.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/acqui-home.tt @@ -49,7 +49,7 @@ -[% IF ( CAN_user_acquisition_suggestions_manage && suggestion && suggestions_count ) %] +[% IF ( CAN_user_suggestions_suggestions_manage && suggestion && suggestions_count ) %]
    diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt index ab04abbcd9..7a53c17c79 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/intranet-main.tt @@ -138,7 +138,7 @@
    [% END %] - [% IF ( CAN_user_acquisition_suggestions_manage && pendingsuggestions ) %] + [% IF ( CAN_user_suggestions_suggestions_manage && pendingsuggestions ) %]
    Suggestions pending approval: diff --git a/members/purchase-suggestions.pl b/members/purchase-suggestions.pl index 67c021e020..5477b23c0f 100755 --- a/members/purchase-suggestions.pl +++ b/members/purchase-suggestions.pl @@ -34,7 +34,7 @@ my ( $template, $loggedinuser, $cookie ) = get_template_and_user( query => $input, type => "intranet", authnotrequired => 0, - flagsrequired => { acquisition => 'suggestions_manage' }, + flagsrequired => { suggestions => 'suggestions_manage' }, debug => 1, } ); diff --git a/suggestion/suggestion.pl b/suggestion/suggestion.pl index 8c3056e807..d35161ebeb 100755 --- a/suggestion/suggestion.pl +++ b/suggestion/suggestion.pl @@ -111,7 +111,7 @@ my ( $template, $borrowernumber, $cookie, $userflags ) = get_template_and_user( template_name => "suggestion/suggestion.tt", query => $input, type => "intranet", - flagsrequired => { acquisition => 'suggestions_manage' }, + flagsrequired => { suggestions => 'suggestions_manage' }, } ); -- 2.39.5