https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37392 Bug ID: 37392 Summary: Edit item permission by library group is broken Change sponsored?: --- Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: katrin.fischer@bsz-bw.de QA Contact: testopia@bugs.koha-community.org CC: kyle@bywatersolutions.com, m.de.rooy@rijksmuseum.nl, martin.renvoize@ptfs-europe.com, tomascohen@gmail.com Depends on: 29523 The library groups allow to set up library groups within the staff users can edit each others items. This was introduced in 23.05, but is now broken in 23.11. It's not possible for a staff user to edit another libraries items now in some circumstances. Test plan: Set up library group: * Create a library group for library A + B * Action: Limit item editing by group Set up test user: * Create a staff patron with these permissions: * catalogue * fast_cataloguing * edit_items * view_borrower_infos_from_any_libraries * edit borrowers * Home library: library A Set up test items: * Create a record with 3 items with different home libraries: * A * B * C We expect the user will be allowed to edit A and B, but not C. Test: * Test editing the items with the test user, only A is allowed to be edited. * Remove the view_borrower_infos_from_any_libraries permission from test user. * Test editing items now behaves as expected: A + B are allowed, C is not. ----- After some digging to understand the change of behavior noticed between 23.05 and 23.11: I believe commit 2c502d32 to be the culprit. item.can_be_edit uses Patron::can_edit_item_from which calls can_see_things_from. The commit removed the library group specific code and introduced a call to libraries_where_can_see_patrons instead, probably assuming the thing was always a patron record. But here it is an item record. Thinking we should not use "thing" in method names without at least explaining what thing can be... Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523 [Bug 29523] Add a way to prevent embedding objects that should not be allowed -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.