http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5986 Bug #: 5986 Summary: Inconsistent handling of patron deletion permission Classification: Unclassified Change sponsored?: --- Product: Koha Version: master Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 Component: Patrons AssignedTo: kyle.m.hall@gmail.com ReportedBy: oleonard@myacpl.org QAContact: koha-bugs@lists.koha-community.org CC: gmcharlt@gmail.com In some places the permission to delete patrons is governed by whether or not the user has the "borrowers" permission set: "Add or modify borrowers." In moremember.pl there is a different check governed by a "candeleteuser" variable (line 386): my $candeleteuser; my $userenv = C4::Context->userenv; if($userenv->{flags} % 2 == 1){ $candeleteuser = 1; }elsif ( C4::Context->preference("IndependantBranches") ) { $candeleteuser = ( $data->{'branchcode'} eq $userenv->{branch} ); }else{ if( C4::Auth::getuserflags( $userenv->{flags},$userenv->{number})->{borrowers} ) { $candeleteuser = 1; }else{ $candeleteuser = 0; } } This means that a user viewing a patron record on moremember.pl might have different delete permissions than the same user viewing a patron record in circulation or another patron-related page. A user prevented from deleting by moremember.pl could switch to another page and delete from there. -- Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA Contact for the bug.