[Bug 28680] New: Staff without edit_borrower permission still see patron information
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Bug ID: 28680 Summary: Staff without edit_borrower permission still see patron information Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Patrons Assignee: koha-bugs@lists.koha-community.org Reporter: bwsdonna@gmail.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com, kyle.m.hall@gmail.com The permission edit_borrowers specifies: Add, modify and view patron information. However, when that permission is not enabled, staff can view patron information in a number of places, including holds queue, circulation.pl, waitingreserves.pl, and pendingreserves.pl. In the Holds Queue staff can see patron name and other info for patrons at their library, but patrons from other libraries show "patron from central branch" etc. When looking at a bib record, if an item is checked out, only the borrower number is displayed. This should be consistent, where staff without that permission only see a borrower number and nothing else. To replicate, create a staff member with only permissions catalogue ( to log in) and circulate_remaining_permissions. Check out to a patron, see the holds queue, etc and see that the patron information is displayed. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Donna <bwsdonna@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com, | |nick@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #1 from David Cook <dcook@prosentient.com.au> --- I don't think that this really makes sense. Arguably "edit_borrowers" could be changed to just "add and modify" patron information, but if we want to restrict viewing patron information, then there should probably be a new permission to control that. Of course, that wouldn't be backwards compatible, so that probably wouldn't happen. Maybe a system preference in addition to a new permission I suppose... -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 George Williams (NEKLS) <george@nekls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |george@nekls.org --- Comment #2 from George Williams (NEKLS) <george@nekls.org> --- I agree with Donna that, since the edit_borrowers permission says "Add, modify and view patron information" it should actually work that way. If, as David suggests, the wording in the description were changed, then I would want a separate permission that controls "view patron information" because we have staff at 50+ libraries that are currently restricted from viewing borrower address information that we need to continue to restrict from viewing address information. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- For what it's worth, off the top of my head, it would be a massive long expensive development with little chance of success to hide the borrower information as desired. I could be wrong, but that's my first instinct. I can also think of a few holes (like reports) that would probably be impossible to plug without completely rewriting entire modules in Koha, which would then break many workflows and expectations. But that's just my two cents. Someone else might have a good idea. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Rebecca Coert <rcoert@arlingtonva.us> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rcoert@arlingtonva.us -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Lauren Denny <lauren_denny@sil.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lauren_denny@sil.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Gretchen Maxeiner <maxeinergl@gcc.edu> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |maxeinergl@gcc.edu --- Comment #4 from Gretchen Maxeiner <maxeinergl@gcc.edu> --- This is an old ticket but we are still interested. We want to limit our student workers' ability to view the full patron information, and they have currently found several ways to get to it despite not having the edit_borrowers permission. Hoping to get this back on the radar as part of the current permissions projects. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lisette@bywatersolutions.co | |m --- Comment #5 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- We have discussed the new permissions concept at the hackfest and I think it will definitely split edit into edit and view (and probably also a list) for patrons. But if you can view a patron, you'd still see the full record I believe. Could you detail how this would work for you ideally? Should just the cardnumber be visible? What about verifying the identity of a patron - what would be needed for that? (name, photo?) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 --- Comment #6 from Gretchen Maxeiner <maxeinergl@gcc.edu> --- In our case we would want student worker staff to have no view permissions; ideally they could search a patron but then would be directed to circulation.pl rather than moremember.pl once they select one. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37144 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28680 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- I've been more and more interested in this idea (as you can see on bug 37144). I think there's a few bug reports that suggest different ideas for this one. Ideally, it would be nice to configure who can see what particularly with patrons. Still more thinking and experimenting to do with this one I think. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org