From 6ef64cda22dc7a17c72215bbb0d74c240b314646 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Wed, 5 Apr 2017 13:19:42 -0300 Subject: [PATCH] Bug 18403: Adapt patron search This patch modifies the patron search code to limit the libraries to the ones the logged in user is allowed to access Test plan: Search for patrons You should not see patrons you are not allowed to see. Technical note: I am really glad to have refactored all the patron searches before having to write this patch. It tooks me ~40 l to acchieve this job and affect all patron searches. Thanks refactoring! Signed-off-by: Signed-off-by: Jon McGowan Signed-off-by: Jonathan Druart --- C4/Utils/DataTables/Members.pm | 64 +++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 17 deletions(-) diff --git a/C4/Utils/DataTables/Members.pm b/C4/Utils/DataTables/Members.pm index b2e4963a73..a00e1168b5 100644 --- a/C4/Utils/DataTables/Members.pm +++ b/C4/Utils/DataTables/Members.pm @@ -20,34 +20,64 @@ sub search { $searchmember = $dt_params->{sSearch} // ''; } - my ($sth, $query, $iTotalRecords, $iTotalDisplayRecords); + # If branches are independent and user is not superlibrarian + # The search has to be only on the user branch + my $userenv = C4::Context->userenv; + my @restricted_branchcodes; + if (C4::Context::only_my_library) { + push @restricted_branchcodes, $userenv->{branch}; + } + else { + my $logged_in_user = Koha::Patrons->find( $userenv->{number} ); + unless ( + $logged_in_user->can( + { borrowers => 'view_borrower_infos_from_any_libraries' } + ) + ) + { + if ( my $library_groups = $logged_in_user->library->library_groups ) + { + while ( my $library_group = $library_groups->next ) { + push @restricted_branchcodes, + $library_group->parent->children->get_column('branchcode'); + } + } + else { + push @restricted_branchcodes, $userenv->{branch}; + } + } + } + + my ($sth, $query, $iTotalQuery, $iTotalRecords, $iTotalDisplayRecords); my $dbh = C4::Context->dbh; # Get the iTotalRecords DataTable variable - $query = "SELECT COUNT(borrowers.borrowernumber) FROM borrowers"; - $sth = $dbh->prepare($query); - $sth->execute; - ($iTotalRecords) = $sth->fetchrow_array; + $query = $iTotalQuery = "SELECT COUNT(borrowers.borrowernumber) FROM borrowers"; + if ( @restricted_branchcodes ) { + $iTotalQuery .= " WHERE borrowers.branchcode IN (" . join( ',', ('?') x @restricted_branchcodes ) . ")"; + } + ($iTotalRecords) = $dbh->selectrow_array( $iTotalQuery, undef, @restricted_branchcodes ); + + # Do that after iTotalQuery! + if ( defined $branchcode and $branchcode ) { + @restricted_branchcodes = @restricted_branchcodes + ? grep { /^$branchcode$/ } @restricted_branchcodes + ? ($branchcode) + : (undef) # Do not return any results + : ($branchcode); + } if ( $searchfieldstype eq 'dateofbirth' ) { # Return an empty list if the date of birth is not correctly formatted $searchmember = eval { output_pref( { str => $searchmember, dateformat => 'iso', dateonly => 1 } ); }; if ( $@ or not $searchmember ) { return { - iTotalRecords => 0, + iTotalRecords => $iTotalRecords, iTotalDisplayRecords => 0, patrons => [], }; } } - # If branches are independent and user is not superlibrarian - # The search has to be only on the user branch - if ( C4::Context::only_my_library ) { - my $userenv = C4::Context->userenv; - $branchcode = $userenv->{'branch'}; - - } - my $select = "SELECT borrowers.borrowernumber, borrowers.surname, borrowers.firstname, borrowers.streetnumber, borrowers.streettype, borrowers.address, @@ -70,9 +100,9 @@ sub search { push @where_strs, "borrowers.categorycode = ?"; push @where_args, $categorycode; } - if(defined $branchcode and $branchcode ne '') { - push @where_strs, "borrowers.branchcode = ?"; - push @where_args, $branchcode; + if(@restricted_branchcodes ) { + push @where_strs, "borrowers.branchcode IN (" . join( ',', ('?') x @restricted_branchcodes ) . ")"; + push @where_args, @restricted_branchcodes; } my $searchfields = { -- 2.39.5