https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37258 Bug ID: 37258 Summary: Locked records can still be modified/deleted by an unauthorized librarian with merge and in advanced editor Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: minor Priority: P5 - low Component: Cataloging Assignee: koha-bugs@lists.koha-community.org Reporter: januszop@gmail.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl Depends on: 31791 Locked records can still be modified/deleted by an unauthorized librarian with merge and in advanced editor. Although the Edit record action is grayed out from the regular Edit pulldown, and also an attempt to open directly the basic editor (.../cgi-bin/koha/cataloguing/addbiblio.pl?biblionumber=<biblionumber>) results with Error 403 page, an unauthorized user is still able to modify/delete a locked record in several ways, including: 1. merge operation: if a locked record has been chosen as the destination (ref) record, fields can be inserted/deleted from it as a result of a merge and so modifying the locked record; 2. merge operation: if a locked record has NOT been chosen as the destination (ref) record, the locked record will be deleted; 3. a user cat launch directly the advanced editor (wit URL .../cgi-bin/koha/cataloguing/editor.pl#catalog/<biblionumber>) and save the modified version, with no respect for the lock status and edit_locked_records permission. Theoretically, such an a user could be restricted from using advanced editor, but this does not seem as a right way of solving this issue. And the merge path would still remain open. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31791 [Bug 31791] Add the ability to lock records to prevent modification through the Koha staff interface -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.