From cafaa26b4537fed3664f6dc658533d95912b5d6f Mon Sep 17 00:00:00 2001
From: Galen Charlton <galen.charlton@liblime.com>
Date: Thu, 10 Apr 2008 11:37:42 -0500
Subject: [PATCH] granular permissions - created DB tables

First big commit in a project to add more granular
staff user permissions to Koha.

* Created two new database tables

permissions:
  stores a list of defined permissions; each
  permission is to be interpreted as a child
  of a top-level permission defined in the
  existing user flags.  For example, Tools (bit 13)
  now has a separate sub-permission for each
  individual tool.

  The columns are
    module_bit  = FK referencing userflags.bit
    code        = code, e.g., import_patrons
    description = e.g., "Import patron data"

user_permissions:
  stores a list of the specific permissions that
  a staff user actually has.   For example, if
  staff user 123 has only the 'import_patrons' subpermission
  of 'Tools' (module_bit = 13), that would be represented
  by having (123, 13, 'import_patrons' in user_permissions.

  user_permissions and borrowers.flags are now interpreted
  as follows (assuming the CheckSpecificUserPermissions syspref
  is ON):
    * If the appropriate bit (e.g., bit 13 for Tools) is set
      in borrowers.flags, the staff user can access all
      Tools functions.  There should be no rows in user_permissions
      for that staff user and userflag bit combination.
    * If the bit is not set in borrowers.flags, but one or
      more rows are present in user_permissions for that
      staff user and bit combination, the staff user can
      access the specified sub-functions.
    * If the bit is not set in borrower.flags and there are
      no rows in user_permissions for that staff user and
      bit combination, the user cannot access any of the functions.

  Note that this means that if a staff user can access all
  functions for a module (because the bit is set in borrowers.flags),
  the user will automatically be able access any new subfunctions
  added to permissions by a database update.

  The columns are:
    borrowernumber = FK referencing borrowers.borrowernumber
    module_bit, code = FK referencing permissions

* Added a new system preference, CheckSpecificUserPermissions

If this system preference is ON, staff users can be assigned
specific permissions which will be respected during
authorization checks.  If this system preference is OFF, the
current userflags semantics will continue to apply.

* Defined sub-permissions for Tools.  The list of specific
  tools permissions is now:

  edit_news          Write news for the OPAC and staff interfaces
  label_creator      Create printable labels and barcodes from catalog and patron data
  edit_calendar      Define days when the library is closed
  moderate_comments  Moderate patron comments
  edit_notices       Define notices
  edit_notice_status_triggers     Set notice/status triggers for overdue items
  view_system_logs   Browse the system logs
  inventory          Perform inventory (stocktaking) of your catalogue
  stage_marc_import  Stage MARC records into the reservoir
  manage_staged_marc Manage staged MARC records, including completing and reversing imports
  export_catalog     Export bibliographic and holdings data
  import_patrons     Import patron data
  delete_anonymize_patrons    Delete old borrowers and anonymize circulation history (deletes borrower reading history)
  batch_upload_patron_images  Upload patron images in batch or one at a time
  schedule_tasks     Schedule tasks to run

Signed-off-by: Joshua Ferraro <jmf@liblime.com>
---
 admin/systempreferences.pl                    |  1 +
 .../data/mysql/en/mandatory/sysprefs.sql      |  2 +
 .../mysql/en/mandatory/userpermissions.sql    | 17 +++++++
 .../mysql/en/mandatory/userpermissions.txt    |  1 +
 .../unimarc_standard_systemprefs.sql          |  1 +
 .../fr-FR/1-Obligatoire/userpermissions.sql   | 17 +++++++
 .../fr-FR/1-Obligatoire/userpermissions.txt   |  1 +
 installer/data/mysql/kohastructure.sql        | 21 +++++++++
 installer/data/mysql/updatedatabase.pl        | 44 +++++++++++++++++++
 kohaversion.pl                                |  2 +-
 10 files changed, 106 insertions(+), 1 deletion(-)
 create mode 100644 installer/data/mysql/en/mandatory/userpermissions.sql
 create mode 100644 installer/data/mysql/en/mandatory/userpermissions.txt
 create mode 100644 installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql
 create mode 100644 installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.txt

diff --git a/admin/systempreferences.pl b/admin/systempreferences.pl
index 37a30cf219..84d134b2ca 100755
--- a/admin/systempreferences.pl
+++ b/admin/systempreferences.pl
@@ -82,6 +82,7 @@ my %tabsysprefs;
     $tabsysprefs{SessionStorage}="Admin";
     $tabsysprefs{noItemTypeImages}="Admin";
     $tabsysprefs{OPACBaseURL}="Admin";
+    $tabsysprefs{CheckSpecificUserPermissions}="Admin";
 
 # Authorities
     $tabsysprefs{authoritysep}="Authorities";
diff --git a/installer/data/mysql/en/mandatory/sysprefs.sql b/installer/data/mysql/en/mandatory/sysprefs.sql
index 633f5f3be4..b7642ea3cd 100644
--- a/installer/data/mysql/en/mandatory/sysprefs.sql
+++ b/installer/data/mysql/en/mandatory/sysprefs.sql
@@ -181,3 +181,5 @@ INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES
 INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('OAI-PMH:Subset','itemtype=\'BOOK\'','Restrict answer to matching raws of the biblioitems table (experimental)',NULL,'Free');
 
 INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('OPACItemHolds','1','Allow OPAC users to place hold on specific items. If OFF, users can only request next available copy.','','YesNo');
+
+INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('CheckSpecificUserPermissions','0','Check most specific staff user permissions',NULL,'YesNo');
diff --git a/installer/data/mysql/en/mandatory/userpermissions.sql b/installer/data/mysql/en/mandatory/userpermissions.sql
new file mode 100644
index 0000000000..8f7e1c391f
--- /dev/null
+++ b/installer/data/mysql/en/mandatory/userpermissions.sql
@@ -0,0 +1,17 @@
+INSERT INTO permissions (module_bit, code, description) VALUES
+   (13, 'edit_news', 'Write news for the OPAC and staff interfaces'),
+   (13, 'label_creator', 'Create printable labels and barcodes from catalog and patron data'),
+   (13, 'edit_calendar', 'Define days when the library is closed'),
+   (13, 'moderate_comments', 'Moderate patron comments'),
+   (13, 'edit_notices', 'Define notices'),
+   (13, 'edit_notice_status_triggers', 'Set notice/status triggers for overdue items'),
+   (13, 'view_system_logs', 'Browse the system logs'),
+   (13, 'inventory', 'Perform inventory (stocktaking) of your catalogue'),
+   (13, 'stage_marc_import', 'Stage MARC records into the reservoir'),
+   (13, 'manage_staged_marc', 'Managed staged MARC records, including completing and reversing imports'),
+   (13, 'export_catalog', 'Export bibliographic and holdings data'),
+   (13, 'import_patrons', 'Import patron data'),
+   (13, 'delete_anonymize_patrons', 'Delete old borrowers and anonymize circulation history (deletes borrower reading history)'),
+   (13, 'batch_upload_patron_images', 'Upload patron images in batch or one at a time'),
+   (13, 'schedule_tasks', 'Schedule tasks to run')
+;
diff --git a/installer/data/mysql/en/mandatory/userpermissions.txt b/installer/data/mysql/en/mandatory/userpermissions.txt
new file mode 100644
index 0000000000..59b7ce1b19
--- /dev/null
+++ b/installer/data/mysql/en/mandatory/userpermissions.txt
@@ -0,0 +1 @@
+Detailed staff user permissions
diff --git a/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql b/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql
index 5d21fa2afd..647c9a58fb 100644
--- a/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql
+++ b/installer/data/mysql/fr-FR/1-Obligatoire/unimarc_standard_systemprefs.sql
@@ -183,3 +183,4 @@ INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES
 INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('CircControl',"ItemHomeLibrary",'Précise la bibliothèque qui contrôle les règles de prêt et d''amende',"PickupLibrary|PatronLibrary|ItemHomeLibrary",'Choice');
 
 INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('OPACItemHolds','1','Si activé, les adhérents peuvent placer des réservations sur un exemplaire spécifique. Sinon, il ne peuvent que réserver le prochain disponible.','','YesNo');
+INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('CheckSpecificUserPermissions','0','Check most specific staff user permissions',NULL,'YesNo');
diff --git a/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql
new file mode 100644
index 0000000000..8f7e1c391f
--- /dev/null
+++ b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.sql
@@ -0,0 +1,17 @@
+INSERT INTO permissions (module_bit, code, description) VALUES
+   (13, 'edit_news', 'Write news for the OPAC and staff interfaces'),
+   (13, 'label_creator', 'Create printable labels and barcodes from catalog and patron data'),
+   (13, 'edit_calendar', 'Define days when the library is closed'),
+   (13, 'moderate_comments', 'Moderate patron comments'),
+   (13, 'edit_notices', 'Define notices'),
+   (13, 'edit_notice_status_triggers', 'Set notice/status triggers for overdue items'),
+   (13, 'view_system_logs', 'Browse the system logs'),
+   (13, 'inventory', 'Perform inventory (stocktaking) of your catalogue'),
+   (13, 'stage_marc_import', 'Stage MARC records into the reservoir'),
+   (13, 'manage_staged_marc', 'Managed staged MARC records, including completing and reversing imports'),
+   (13, 'export_catalog', 'Export bibliographic and holdings data'),
+   (13, 'import_patrons', 'Import patron data'),
+   (13, 'delete_anonymize_patrons', 'Delete old borrowers and anonymize circulation history (deletes borrower reading history)'),
+   (13, 'batch_upload_patron_images', 'Upload patron images in batch or one at a time'),
+   (13, 'schedule_tasks', 'Schedule tasks to run')
+;
diff --git a/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.txt b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.txt
new file mode 100644
index 0000000000..59b7ce1b19
--- /dev/null
+++ b/installer/data/mysql/fr-FR/1-Obligatoire/userpermissions.txt
@@ -0,0 +1 @@
+Detailed staff user permissions
diff --git a/installer/data/mysql/kohastructure.sql b/installer/data/mysql/kohastructure.sql
index 834bb1f6b2..2b18bb9080 100644
--- a/installer/data/mysql/kohastructure.sql
+++ b/installer/data/mysql/kohastructure.sql
@@ -2011,6 +2011,16 @@ CREATE TABLE language_script_mapping (
         KEY `language_subtag` (`language_subtag`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
+DROP TABLE IF EXISTS `permissions`;
+CREATE TABLE `permissions` (
+  `module_bit` int(11) NOT NULL DEFAULT 0,
+  `code` varchar(30) DEFAULT NULL,
+  `description` varchar(255) DEFAULT NULL,
+  PRIMARY KEY  (`module_bit`, `code`),
+  CONSTRAINT `permissions_ibfk_1` FOREIGN KEY (`module_bit`) REFERENCES `userflags` (`bit`)
+    ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
 DROP TABLE IF EXISTS serialitems;
 CREATE TABLE serialitems (
         serialid int(11) NOT NULL,
@@ -2018,6 +2028,17 @@ CREATE TABLE serialitems (
         UNIQUE KEY `serialididx` (`serialid`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 
+DROP TABLE IF EXISTS `user_permissions`;
+CREATE TABLE `user_permissions` (
+  `borrowernumber` int(11) NOT NULL DEFAULT 0,
+  `module_bit` int(11) NOT NULL DEFAULT 0,
+  `code` varchar(30) DEFAULT NULL,
+  CONSTRAINT `user_permissions_ibfk_1` FOREIGN KEY (`borrowernumber`) REFERENCES `borrowers` (`borrowernumber`)
+    ON DELETE CASCADE ON UPDATE CASCADE,
+  CONSTRAINT `user_permissions_ibfk_2` FOREIGN KEY (`module_bit`, `code`) REFERENCES `permissions` (`module_bit`, `code`)
+    ON DELETE CASCADE ON UPDATE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
 /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
 /*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
 /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
diff --git a/installer/data/mysql/updatedatabase.pl b/installer/data/mysql/updatedatabase.pl
index b82d9f1a0e..58e7a45b43 100755
--- a/installer/data/mysql/updatedatabase.pl
+++ b/installer/data/mysql/updatedatabase.pl
@@ -1230,6 +1230,50 @@ if (C4::Context->preference("Version") < TransformToNum($DBversion)) {
     SetVersion ($DBversion);
 }
 
+$DBversion = "3.00.00.068";
+if (C4::Context->preference("Version") < TransformToNum($DBversion)) {
+    $dbh->do("CREATE TABLE `permissions` (
+                `module_bit` int(11) NOT NULL DEFAULT 0,
+                `code` varchar(30) DEFAULT NULL,
+                `description` varchar(255) DEFAULT NULL,
+                PRIMARY KEY  (`module_bit`, `code`),
+                CONSTRAINT `permissions_ibfk_1` FOREIGN KEY (`module_bit`) REFERENCES `userflags` (`bit`)
+                    ON DELETE CASCADE ON UPDATE CASCADE
+              ) ENGINE=InnoDB DEFAULT CHARSET=utf8");
+    $dbh->do("CREATE TABLE `user_permissions` (
+                `borrowernumber` int(11) NOT NULL DEFAULT 0,
+                `module_bit` int(11) NOT NULL DEFAULT 0,
+                `code` varchar(30) DEFAULT NULL,
+                CONSTRAINT `user_permissions_ibfk_1` FOREIGN KEY (`borrowernumber`) REFERENCES `borrowers` (`borrowernumber`)
+                    ON DELETE CASCADE ON UPDATE CASCADE,
+                CONSTRAINT `user_permissions_ibfk_2` FOREIGN KEY (`module_bit`, `code`) 
+                    REFERENCES `permissions` (`module_bit`, `code`)
+                    ON DELETE CASCADE ON UPDATE CASCADE
+              ) ENGINE=InnoDB DEFAULT CHARSET=utf8");
+
+    $dbh->do("INSERT INTO permissions (module_bit, code, description) VALUES
+    (13, 'edit_news', 'Write news for the OPAC and staff interfaces'),
+    (13, 'label_creator', 'Create printable labels and barcodes from catalog and patron data'),
+    (13, 'edit_calendar', 'Define days when the library is closed'),
+    (13, 'moderate_comments', 'Moderate patron comments'),
+    (13, 'edit_notices', 'Define notices'),
+    (13, 'edit_notice_status_triggers', 'Set notice/status triggers for overdue items'),
+    (13, 'view_system_logs', 'Browse the system logs'),
+    (13, 'inventory', 'Perform inventory (stocktaking) of your catalogue'),
+    (13, 'stage_marc_import', 'Stage MARC records into the reservoir'),
+    (13, 'manage_staged_marc', 'Managed staged MARC records, including completing and reversing imports'),
+    (13, 'export_catalog', 'Export bibliographic and holdings data'),
+    (13, 'import_patrons', 'Import patron data'),
+    (13, 'delete_anonymize_patrons', 'Delete old borrowers and anonymize circulation history (deletes borrower reading history)'),
+    (13, 'batch_upload_patron_images', 'Upload patron images in batch or one at a time'),
+    (13, 'schedule_tasks', 'Schedule tasks to run')");
+        
+    $dbh->do("INSERT INTO `systempreferences` (variable,value,explanation,options,type) VALUES('CheckSpecificUserPermissions','0','Check most specific staff user permissions',NULL,'YesNo')");
+
+    print "Upgrade to $DBversion done (adding permissions and user_permissions tables and CheckSpecificUserPermissions syspref) ";
+    SetVersion ($DBversion);
+}
+
 =item DropAllForeignKeys($table)
 
   Drop all foreign keys of the table $table
diff --git a/kohaversion.pl b/kohaversion.pl
index b41e3adf01..6a677517d5 100644
--- a/kohaversion.pl
+++ b/kohaversion.pl
@@ -10,7 +10,7 @@
 use strict;
 
 sub kohaversion {
-    our $VERSION = "3.00.00.067";
+    our $VERSION = "3.00.00.068";
     # version needs to be set this way
     # so that it can be picked up by Makefile.PL
     # during install
-- 
2.39.2