From 015270c1be46c2227fdb58e41b7aab64cfd5dd53 Mon Sep 17 00:00:00 2001
From: Katrin Fischer <katrin.fischer.83@web.de>
Date: Sun, 20 May 2018 02:42:28 +0200
Subject: [PATCH] Bug 20793: Don't show a holds link in staff for users without
 permission

On the results list in staff the 'Holds (x)' link always shows
independent of the permissions of the staff user.

This patch tightens the permission checks on the result page
to explicitly check for the place_holds permission.

To test:
- Create a staff user with place_holds permission
- Check the result list, you should see 2 links to the
  holds page:
  - 'Place holds' on top of the results list
  - 'Holds (x)' at the bottom of each entry in the results
     list
  - Verify both links work
- Create a staff user without place_holds_permission
  - Without the patch you'll see the second link,
    but it will lead to a permission error
  - With the patch you'll still see the 'Holds (x)', but
    it will no longer be a link.
- Go to the detail page of a record with an existing hold.
  - Repeat test with both staff users.
  - One time the Hold information in the bibliographic information
    should show as a link, the other time as a simple text.

Displaying the information about existing holds still make sense
as this is the current beheviour.

Signed-off-by: Owen Leonard <oleonard@myacpl.org>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
(cherry picked from commit e98d4d30cad78715e613f833ed2356070f9985ad)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 .../intranet-tmpl/prog/en/modules/catalogue/detail.tt  |  6 +++++-
 .../intranet-tmpl/prog/en/modules/catalogue/results.tt | 10 +++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
index ebef6a5b2f..03953840e9 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
@@ -111,7 +111,11 @@
             <span class="results_summary">
                 <span class="label">Holds:</span>
                 <span class="number_box">
-                    <a href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% biblionumber %]">[% holdcount %]</a>
+                    [% IF CAN_user_reserveforothers_place_holds %]
+                        <a href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% biblionumber %]">[% holdcount %]</a>
+                    [% ELSE %]
+                        [% holdcount %]
+                    [% END %]
                 </span>
             </span>
         [% END %]
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
index 44010fd9da..6f48f81800 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/results.tt
@@ -368,7 +368,7 @@ function holdForPatron() {
             [% END %]
 
 
-                [% IF ( CAN_user_reserveforothers && DisplayMultiPlaceHold ) %]
+                [% IF ( CAN_user_reserveforothers_place_holds && DisplayMultiPlaceHold ) %]
                 [% IF ( holdfor ) %]
                     <div id="placeholdc" class="btn-group">
                         <button class="btn btn-default btn-xs placehold"><i class="fa fa-sticky-note-o"></i> Place hold</button>
@@ -687,8 +687,12 @@ function holdForPatron() {
                             [% IF ( SEARCH_RESULT.norequests ) %]
                                 <span class="noholdstext">No holds allowed</span>
                             [% ELSE %]
-                                <a id="reserve_[% SEARCH_RESULT.biblionumber %]" href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% SEARCH_RESULT.biblionumber %]">Holds ([% Biblio.HoldsCount( SEARCH_RESULT.biblionumber ) %])</a>
-                                [% IF ( holdfor ) %] <span class="holdforlink">| <a href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% SEARCH_RESULT.biblionumber %]&amp;findborrower=[% holdfor_cardnumber %]">Place hold for [% holdfor_firstname %] [% holdfor_surname %] ([% holdfor_cardnumber %])</a></span>[% END %]
+                                [% IF CAN_user_reserveforothers_place_holds %]
+                                    <a id="reserve_[% SEARCH_RESULT.biblionumber %]" href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% SEARCH_RESULT.biblionumber %]">Holds ([% Biblio.HoldsCount( SEARCH_RESULT.biblionumber ) %])</a>
+                                    [% IF ( holdfor ) %] <span class="holdforlink">| <a href="/cgi-bin/koha/reserve/request.pl?biblionumber=[% SEARCH_RESULT.biblionumber %]&amp;findborrower=[% holdfor_cardnumber %]">Place hold for [% holdfor_firstname %] [% holdfor_surname %] ([% holdfor_cardnumber %])</a></span>[% END %]
+                                [% ELSE %]
+                                    Holds ([% Biblio.HoldsCount( SEARCH_RESULT.biblionumber ) %])
+                                [% END %]
                             [% END %]
 
                                 [% IF Koha.Preference('intranetbookbag') == 1 %]
-- 
2.39.5