[Koha-bugs] [Bug 30230] Search for patrons in checkout should not require edit_borrowers permission

Fri Dec 1 00:01:59 CET 2023

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230

--- Comment #25 from David Cook <dcook at prosentient.com.au> ---
(In reply to Andrew Fuerste-Henry from comment #22)
> I feel like this permission should be grouped with the other borrowers
> permissions, rather than set off as its own top-level permission.

+1

This needs to be in "permissions" and not "userflags". This is important for
the UI and overall permission logic.

> A couple of minor things seem off, though, both on the member.pl search
> results page:
>  - clicking a patron name in the results list takes one to
> cgi-bin/koha/members/moremember.pl, a page one would otherwise not be able
> to access with only list_borrowers

It's a good point.

I think list_borrowers should be able to go to the moremember.pl page, since
"list_borrowers" basically means you can list all patrons and their
information. But they shouldn't be able to update/delete. 

In general, Koha doesn't have very nuanced authorization, but I suppose in this
case maybe we should be defining "flagsrequired" based on HTTP method. If it's
a GET, then "list_borrowers" can be included. But if it's a POST or something
else, it needs to only be "edit_borrowers". 

> - while on member.pl or moremember.pl as a user with only list_borrowers
> permission, the Search Patrons feature in the main search bar is only
> partially disabled -- the Search Patrons option still appears, but when it
> is selected the search box disappears, thereby preventing the search. This
> is a visually confusing approach and becomes more confusing if one clicks
> around between the options here, as the search box will reappear when
> something other than Search Patrons is selected. See the attached screenshot
> in which the interface is simultaneously indicating both Check Out and
> Search Patrons. Can we remove Search Patrons from this bar entirely if the
> user lacks that permission?

I'm not sure I understand what you're saying here...

-- 
You are receiving this mail because:
You are watching all bug changes.