From 4635b255ab98fdb4804c2bcb2f308ff722d7639c Mon Sep 17 00:00:00 2001 From: Alex Arnaud Date: Tue, 15 Dec 2015 14:11:54 +0100 Subject: [PATCH] Bug 15289 - borrowers permission allows to see patron's loans MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Test plan: - log with a user that have "borrowers" permission but not "Remaining circulation permissions" - go to a borrower's detail page (who has at least a loan) and click on "show checkouts" - check that you see loan(s) and that you can't renew and checkin - Do the same with a borrower that have "Remaining circulation permissions" - check that you see loan(s) and that you can renew and checkin Followed test plan. Works as expected. Signed-off-by: Marc Véron Signed-off-by: Kyle M Hall Signed-off-by: Brendan A Gallagher (cherry picked from commit eb5fca30aa7005afaa34d394e1115eead969271b) Signed-off-by: Julian Maurice --- .../prog/en/includes/checkouts-table.inc | 6 ++++-- .../intranet-tmpl/prog/en/includes/permissions.inc | 2 +- koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js | 2 ++ .../prog/en/modules/members/moremember.tt | 1 + svc/checkouts | 11 +++++++---- 5 files changed, 15 insertions(+), 7 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc index 0c1a7f19e3..88d4e5c778 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc @@ -41,8 +41,10 @@ [% END %] [% END %] - - + [% IF ( CAN_user_circulate_circulate_remaining_permissions ) %] + + + [% END %] [% IF ( exports_enabled ) %] diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc index a4b63966f2..bf48595c17 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc +++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc @@ -4,7 +4,7 @@ [%- CASE 'circulate' -%]Check out and check in items [%- CASE 'catalogue' -%]Required for staff login. Staff access, allows viewing of catalogue in staff client. [%- CASE 'parameters' -%]Manage Koha system settings (Administration panel) - [%- CASE 'borrowers' -%]Add or modify patrons + [%- CASE 'borrowers' -%]Add, modify and view patrons information [%- CASE 'permissions' -%]Set user permissions [%- CASE 'reserveforothers' -%]Place and modify holds for patrons [%- CASE 'editcatalogue' -%]Edit catalog (Modify bibliographic/holdings data) diff --git a/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js b/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js index 9dae4d8012..1269013300 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js +++ b/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js @@ -295,6 +295,7 @@ $(document).ready(function() { }, { "bSortable": false, + "bVisible": AllowCirculate ? true : false, "mDataProp": function ( oObj ) { var content = ""; var span_style = ""; @@ -388,6 +389,7 @@ $(document).ready(function() { }, { "bSortable": false, + "bVisible": AllowCirculate ? true : false, "mDataProp": function ( oObj ) { if ( oObj.can_renew_error == "on_reserve" ) { return "" + ON_HOLD + ""; diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt index 97e547d7a8..802e35eb62 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt @@ -33,6 +33,7 @@ var theme = "[% theme %]"; var borrowernumber = "[% borrowernumber %]"; var branchcode = "[% branch %]"; var exports_enabled = "[% exports_enabled %]"; +var AllowCirculate = [% (CAN_user_circulate_circulate_remaining_permissions)? 1 : 0 %] var AllowRenewalLimitOverride = [% (CAN_user_circulate_override_renewals && AllowRenewalLimitOverride)? 1: 0 %]; var script = "moremember"; var relatives_borrowernumbers = new Array(); diff --git a/svc/checkouts b/svc/checkouts index cff2561a3f..93a1c9528c 100755 --- a/svc/checkouts +++ b/svc/checkouts @@ -23,7 +23,7 @@ use warnings; use CGI; use JSON qw(to_json); -use C4::Auth qw(check_cookie_auth); +use C4::Auth qw(check_cookie_auth haspermission get_session); use C4::Biblio qw(GetMarcBiblio GetFrameworkCode GetRecordValue ); use C4::Circulation qw(GetIssuingCharges CanBookBeRenewed GetRenewCount GetSoonestRenewDate); use C4::Koha qw(GetAuthorisedValueByCode); @@ -35,10 +35,13 @@ use Koha::DateUtils; my $input = new CGI; my ( $auth_status, $sessionID ) = - check_cookie_auth( $input->cookie('CGISESSID'), - { circulate => 'circulate_remaining_permissions' } ); + check_cookie_auth( $input->cookie('CGISESSID')); -if ( $auth_status ne "ok" ) { +my $session = get_session($sessionID); +my $userid = $session->param('id'); + +unless (haspermission($userid, { circulate => 'circulate_remaining_permissions' }) + || haspermission($userid, { borrowers => '*' })) { exit 0; } -- 2.39.5