From 95d0a17e8b873c493f099fc69772e4c50908a21c Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Tue, 4 Apr 2017 16:01:41 -0300 Subject: [PATCH] Bug 18403: Hide patron information if not part of the logged in user library group MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This patchset adds a new feature that will allow libraries inside a single Koha installation to restrict access to information of patrons that The group of libraries feature is introduced by bug 15707, see this bug for more information. Let's imagine that 2 groups G1 and G2 are defined and that they include 2 libraries each G1a, G1b and G2c, G2d: logged in users attached to G1a will only see patron's information from G1a and G1b. To add more flexibility, a new user permission named 'view_borrower_infos_from_any_libraries' will drive this behavior. If set, the patron will be able to see patron's information of any libraries. If the restriction is set, the logged in user will not be able to search, show, edit, delete patron's information of patrons attached to groups of libraries outside his own group. In situations we need to refer to a patron, for holds and checkouts for instance, and his information cannot be viewed, a text "A patron from library G1A" will be displayed. Considered unecessary or outside the scope of this bug report: * The report module is not affected by this feature for obvious reasons * The firstname and surname of guarantors, basket (acq) managers, patrons linked to orders are still displayed. * Log viewer: Can only be staff * patron list: you cannot add patrons from another group of librairies, but can see/delete from list (too much rewrite, or we can test for patron one by one?). * "Patron card creator" tool is not impacted by this feature. * Upload patron images is not impacted by this patch, should it be? * Tools: - Upload patrons - Clean borrowers tool (This can can done easily updating Koha::Patrons->search with Koha::Patrons->search_limited in search_upcoming_membership_expires and search_patrons_to_anonymise but we will need to move GetBorrowersToExpunge to Koha::Patrons first) We can discuss these different points but will be other bug reports not to add more complexity to this first patchset. Test plan: You will find a test plan in the following commit messages. Start by creating different group of libraries and patrons with and without the new permission. Open different browser sessions to ease the tests. Note that all patches have to be applied to test the different test plans. Technical notes: For QAers (and others) a techical note will be added to the commit messages of this patchset. I would recommend you to read them one by one to understand the different steps of this development. + Special attention should be payed to the REST api changes + Should we restrict the logged in user to libraries from his group when he wants to set his library (Home › Circulation › Set library)? Signed-off-by: Signed-off-by: Jon McGowan Signed-off-by: Jonathan Druart --- .../atomicupdate/bug_xxxxx-add-permission.perl | 13 +++++++++++++ installer/data/mysql/userpermissions.sql | 2 ++ .../intranet-tmpl/prog/en/includes/permissions.inc | 2 ++ 3 files changed, 17 insertions(+) create mode 100644 installer/data/mysql/atomicupdate/bug_xxxxx-add-permission.perl diff --git a/installer/data/mysql/atomicupdate/bug_xxxxx-add-permission.perl b/installer/data/mysql/atomicupdate/bug_xxxxx-add-permission.perl new file mode 100644 index 0000000000..0918c27111 --- /dev/null +++ b/installer/data/mysql/atomicupdate/bug_xxxxx-add-permission.perl @@ -0,0 +1,13 @@ +$DBversion = 'XXX'; +if( CheckVersion( $DBversion ) ) { + $dbh->do(q| + INSERT IGNORE INTO permissions (module_bit, code, description) VALUES + (4, 'edit_borrowers', 'Add, modify and view patron information'), + (4, 'view_borrower_infos_from_any_libraries', 'View patron infos from any libraries'); + |); + + # We are lucky here, there is nothing else to do: flags 4-borrowers did not contain sub permissions + + SetVersion( $DBversion ); + print "Upgrade to $DBversion done (Bug XXXXX - Add the view_borrower_infos_from_any_libraries permission )\n"; +} diff --git a/installer/data/mysql/userpermissions.sql b/installer/data/mysql/userpermissions.sql index 172f4c6ea1..52adbceebf 100644 --- a/installer/data/mysql/userpermissions.sql +++ b/installer/data/mysql/userpermissions.sql @@ -7,6 +7,8 @@ INSERT INTO permissions (module_bit, code, description) VALUES ( 1, 'self_checkout', 'Perform self checkout at the OPAC. It should be used for the patron matching the AutoSelfCheckID'), ( 3, 'parameters_remaining_permissions', 'Remaining system parameters permissions'), ( 3, 'manage_circ_rules', 'Manage circulation rules'), + ( 4, 'edit_borrowers', 'Add, modify and view patron information'), + ( 4, 'view_borrower_infos_from_any_libraries', 'View patron infos from any libraries'), ( 6, 'place_holds', 'Place holds for patrons'), ( 6, 'modify_holds_priority', 'Modify holds priority'), ( 9, 'edit_catalogue', 'Edit catalog (Modify bibliographic/holdings data)'), diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc index be239a64d1..7dde923c15 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc @@ -34,6 +34,8 @@ [%- CASE 'self_checkout' -%]Perform self checkout at the OPAC. It should be used for the patron matching the AutoSelfCheckID [%- CASE 'manage_circ_rules' -%]manage circulation rules [%- CASE 'parameters_remaining_permissions' -%]Remaining system parameters permissions + [%- CASE 'edit_borrowers' -%]Add, modify and view patron information + [%- CASE 'view_borrower_infos_from_any_libraries' -%]View patron infos from any libraries. If not set the logged in user could only access patron infos from its own library or group of libraries. [%- CASE 'modify_holds_priority' -%]Modify holds priority [%- CASE 'place_holds' -%]Place holds for patrons [%- CASE 'delete_all_items' -%]Delete all items at once -- 2.39.5