From 435211adbc230514f4c0c370bbe8002dafa595af Mon Sep 17 00:00:00 2001
From: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Date: Mon, 22 Jan 2024 16:49:56 +0000
Subject: [PATCH] Bug 29509: Update swagger specification and add permissions
 to users

This patch removes the 'edit_borrowers', 'manage_bookings',
'lable_creator', 'routing' and 'order_manage' permissions from the list
of options in the patrons list endpoint.

We then assign the new 'list_borrowers' permission to any users who have
those removed permissions

Test plan
1) Apply patch and run the database update
2) Users with any of the permissions listed above should now also have
   the 'list_borrowers' permission too.
3) Check that patron searching continues to work from the various
   locations in the UI for the above affected users

Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
[EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :)

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit 85ea79c45b6f95baee9ec955c6c09046808771b5)
Signed-off-by: Lucas Gass <lucas@bywatersolutions.com>
---
 api/v1/swagger/paths/patrons.yaml             |  5 --
 .../data/mysql/atomicupdate/bug_29509.pl      | 61 +++++++++++++++++++
 2 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100755 installer/data/mysql/atomicupdate/bug_29509.pl

diff --git a/api/v1/swagger/paths/patrons.yaml b/api/v1/swagger/paths/patrons.yaml
index c35a390f36..cf05d748d8 100644
--- a/api/v1/swagger/paths/patrons.yaml
+++ b/api/v1/swagger/paths/patrons.yaml
@@ -401,11 +401,6 @@
     x-koha-authorization:
       permissions:
         - borrowers: "list_borrowers"
-        - borrowers: "edit_borrowers"
-        - circulate: "manage_bookings"
-        - tools: "label_creator"
-        - serials: "routing"
-        - acquisition: "order_manage"
   post:
     x-mojo-to: Patrons#add
     operationId: addPatron
diff --git a/installer/data/mysql/atomicupdate/bug_29509.pl b/installer/data/mysql/atomicupdate/bug_29509.pl
new file mode 100755
index 0000000000..a23d4ca0b0
--- /dev/null
+++ b/installer/data/mysql/atomicupdate/bug_29509.pl
@@ -0,0 +1,61 @@
+use Modern::Perl;
+use Array::Utils qw( array_minus );
+
+return {
+    bug_number  => "29509",
+    description => "Update users with list_borrowers permission where required",
+    up          => sub {
+        my ($args) = @_;
+        my ( $dbh, $out ) = @$args{qw(dbh out)};
+
+        # Users to exclude from update, (superlibrarians or borrowers flags)
+        my $sth = $dbh->prepare("SELECT borrowernumber FROM borrowers WHERE flags = 1 OR flags & 16");
+        $sth->execute();
+        my @exclusions = map { $_->[0] } @{ $sth->fetchall_arrayref };
+
+        # Prepare insert
+        my $insert_sth =
+            $dbh->prepare("INSERT IGNORE INTO user_permissions (borrowernumber, module_bit, code) VALUES (?, ?, ?)");
+
+        # Check for 'borrowers' or 'borrowers > edit_borrowers' permission
+        my $sth2 = $dbh->prepare("SELECT borrowernumber FROM user_permissions WHERE code = 'edit_borrowers'");
+        $sth2->execute();
+        my @edit_borrowers = map { $_->[0] } @{ $sth2->fetchall_arrayref };
+        my @reduced        = array_minus( @edit_borrowers, @exclusions );
+        my @rows_to_insert = ( map { [ $_, 4, "list_borrowers" ] } array_minus( @edit_borrowers, @exclusions ) );
+        foreach my $row (@rows_to_insert) { $insert_sth->execute( @{$row} ); }
+        say $out "list_borrowers added to all users with edit_borrowers";
+
+        # Check for 'circulate' or 'circulate > manage_bookings' permission
+        my $sth3 = $dbh->prepare("SELECT borrowernumber FROM user_permissions WHERE code = 'manage_bookings'");
+        $sth3->execute();
+        my @manage_bookings = map { $_->[0] } @{ $sth3->fetchall_arrayref };
+        @rows_to_insert = ( map { [ $_, 4, "list_borrowers" ] } array_minus( @manage_bookings, @exclusions ) );
+        foreach my $row (@rows_to_insert) { $insert_sth->execute( @{$row} ); }
+        say $out "list_borrowers added to all users with manage_bookings";
+
+        # Check for 'tools' or 'tools > label_creator' permission
+        my $sth4 = $dbh->prepare("SELECT borrowernumber FROM user_permissions WHERE code = 'label_creator'");
+        $sth4->execute();
+        my @label_creator = map { $_->[0] } @{ $sth4->fetchall_arrayref };
+        @rows_to_insert = ( map { [ $_, 4, "list_borrowers" ] } array_minus( @label_creator, @exclusions ) );
+        foreach my $row (@rows_to_insert) { $insert_sth->execute( @{$row} ); }
+        say $out "list_borrowers added to all users with label_creator";
+
+        # Check for 'serials' or 'serials > routing' permission
+        my $sth5 = $dbh->prepare("SELECT borrowernumber FROM user_permissions WHERE code = 'routing'");
+        $sth5->execute();
+        my @routing = map { $_->[0] } @{ $sth5->fetchall_arrayref };
+        @rows_to_insert = ( map { [ $_, 4, "list_borrowers" ] } array_minus( @routing, @exclusions ) );
+        foreach my $row (@rows_to_insert) { $insert_sth->execute( @{$row} ); }
+        say $out "list_borrowers added to all users with routing";
+
+        # Check for 'acquisitions' or 'acquisitions > order_manage' permission
+        my $sth6 = $dbh->prepare("SELECT borrowernumber FROM user_permissions WHERE code = 'order_manage'");
+        $sth6->execute();
+        my @order_manage = map { $_->[0] } @{ $sth6->fetchall_arrayref };
+        @rows_to_insert = ( map { [ $_, 4, "list_borrowers" ] } array_minus( @order_manage, @exclusions ) );
+        foreach my $row (@rows_to_insert) { $insert_sth->execute( @{$row} ); }
+        say $out "list_borrowers added to all users with order_manage";
+    },
+};
-- 
2.39.5