https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230 --- Comment #25 from David Cook <dcook@prosentient.com.au> --- (In reply to Andrew Fuerste-Henry from comment #22)
I feel like this permission should be grouped with the other borrowers permissions, rather than set off as its own top-level permission.
+1 This needs to be in "permissions" and not "userflags". This is important for the UI and overall permission logic.
A couple of minor things seem off, though, both on the member.pl search results page: - clicking a patron name in the results list takes one to cgi-bin/koha/members/moremember.pl, a page one would otherwise not be able to access with only list_borrowers
It's a good point. I think list_borrowers should be able to go to the moremember.pl page, since "list_borrowers" basically means you can list all patrons and their information. But they shouldn't be able to update/delete. In general, Koha doesn't have very nuanced authorization, but I suppose in this case maybe we should be defining "flagsrequired" based on HTTP method. If it's a GET, then "list_borrowers" can be included. But if it's a POST or something else, it needs to only be "edit_borrowers".
- while on member.pl or moremember.pl as a user with only list_borrowers permission, the Search Patrons feature in the main search bar is only partially disabled -- the Search Patrons option still appears, but when it is selected the search box disappears, thereby preventing the search. This is a visually confusing approach and becomes more confusing if one clicks around between the options here, as the search box will reappear when something other than Search Patrons is selected. See the attached screenshot in which the interface is simultaneously indicating both Check Out and Search Patrons. Can we remove Search Patrons from this bar entirely if the user lacks that permission?
I'm not sure I understand what you're saying here... -- You are receiving this mail because: You are watching all bug changes.