[Koha-bugs] [Bug 28975] New: Holds queue lists can show holds from all libraries even with IndependentBranches

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Wed Sep 8 21:48:21 CEST 2021 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28975

            Bug ID: 28975
           Summary: Holds queue lists can show holds from all libraries
                    even with IndependentBranches
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5 - low
         Component: Circulation
          Assignee: koha-bugs at lists.koha-community.org
          Reporter: caroline.cyr-la-rose at inlibro.com
        QA Contact: testopia at bugs.koha-community.org
                CC: gmcharlt at gmail.com, kyle.m.hall at gmail.com

When using IndependentBranches, usually all branches are removed from the
drop-down menus. But in the Holds Queue page, there is the possibility to
choose "All branches". From there, you can see holds for patrons from other
branches and even click on the names of the patrons to access their file and
see their information (!!).

To recreate :
1) Activate IndependentBranches, IndependentBranchesPatronModifications and
IndependentBranchesTransfers
2) Create a staff user with limited permissions (NOT a superlibrarian),
including holds permissions. Here are mine as an example
  - circulate (all)
  - catalogue
  - borrowers
    - delete_borrowers
    - edit_borrowers
  - reserveforothers (all)
  - reports (all)
3) Create (or make sure you already have) a patron in another branch (we'll
call them patron X)
4) Place a hold for patron X on an available item from their own library
5) Run misc/cronjobs/holds/build_holds_queue.pl
6) Go to Circulation > Holds queue and make sure you can see the hold
7) Log in as your limited staff patron
8) Go to Circulation > Holds queue
9) In the drop-down menu, choose "All" and click Submit
-- Patron X and their hold appear in the list
10) Click on patron X's name
-- You can access patron X's file and see their information

Superlibrarians should be able to select any library, but non-superlibrarians
should only be able to select their own library from the drop-down menu.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.

More information about the Koha-bugs mailing list