[Bug 40396] New: Staff can no longer edit their own public lists without edit_public_list_contents
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 Bug ID: 40396 Summary: Staff can no longer edit their own public lists without edit_public_list_contents Change sponsored?: --- Product: Koha Version: 24.11 Hardware: All OS: All Status: NEW Keywords: regression Severity: normal Priority: P5 - low Component: Lists Assignee: koha-bugs@lists.koha-community.org Reporter: sbrown@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org CC: m.de.rooy@rijksmuseum.nl In 24.11, staff without edit_public_list_contents cannot edit their own public lists. To recreate: -Find or create a staff member with only the create_public_lists and use_public_lists permissions from the lists group -As that staff member, create a public list -Go to Lists, and click on the title of the list you just created in the Public lists tab -Note that you don't have the 'Add records' or 'Remove selected' options -Next, search the catalog and select one or more checkboxes from your results -Click 'Add to list', then select the public list you just created -Note the error message: "Error adding to list - Sorry, you do not have permission to add items to this list." -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 ayoung <ayoung@oslri.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ayoung@oslri.net --- Comment #1 from ayoung <ayoung@oslri.net> --- +1 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 Andrew Fuerste-Henry <andrew@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |andrew@bywatersolutions.com --- Comment #2 from Andrew Fuerste-Henry <andrew@bywatersolutions.com> --- The manual says: https://koha-community.org/manual/latest/en/html/lists.html#lists "Allow changes to contents from: decide who has permission to add or remove titles from the list Nobody: this will close the list to contributions Owner only: only you will be able to add or remove items from the list. If the list is public or shared, the OPAC users or sharers will not be able to change the list contents." https://koha-community.org/manual//latest/en/html/patrons.html#lists-lists "Important All staff members have permission to create, modify and delete their own lists. These permissions are only necessary if you’d like to give a staff member permission to edit or delete public lists that they have not created." We should always allow a list owner to edit the list, even if the list is public. The edit_public_lists permissions should only apply to public lists owned by others. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Hmm this is an interesting one. We've certainly got ourselves into a bit of a situation by having permissions at the borrower level, permissions at the list level, sysprefs like OpacAllowPublicListCreation which also shows that we have different permissions for 2 different interfaces (ie staff and OPAC), and sysprefs which touch both interfaces like "virtualshelves". I was looking at the list code recently as I was working on adding permissions for controlling Private Lists (bug 39372 and bug 39376), and the list code is... not great. -- Overall, we want to be able to restrict permissions, so that only authorized patrons can perform operations on private lists and public lists. To date, we've assumed that if "virtualshelves" is enabled, then anyone (staff or OPAC) is authorized at the borrower level to create private lists, and then there are the 5 list permissions which can be assigned to that. Over time, we've started adding more permissions around public lists for staff users. And as I write this out... I realise that they're trivial to bypass by just using the OPAC. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39372 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=39376 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37052 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- For instance, if you have OpacAllowPublicListCreation enabled, anyone can create public lists. And according to ./installer/data/mysql/mandatory/sysprefs.sql and installer/data/mysql/updatedatabase.pl that syspref defaults to Enabled. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- In theory we need the following: 1. Syspref to enable/disable Lists feature for staff interface 2. Syspref to enable/disable Lists feature for OPAC 3. Borrower permissions for individual operations for private lists and for public lists (regardless of interface) 4. List permissions for individual operations (like "Allow changes to contents from") for individual lists At the moment, we have a syspref that enables/disables the feature for both interfaces. We have borrower permissions that apply to public lists just in the staff interface. We have a syspref that provides pseudo-borrower permissions for public lists just in the OPAC. We do have the list permissions. -- To me... I think if you want to make changes to contents to public lists, you should have to have the "edit_public_list_contents" borrower permission regardless of the list permissions. The difficulty arises if you have "create_public_lists" and not "edit_public_list_contents", but... that's arguably just a user management problem. Not a permission problem. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Ideally, we'd replace OpacAllowPublicListCreation with the "create_public_lists" and "edit_public_list_contents" permissions too. The problem there is that we wouldn't want to assign these permissions individually to everyone using the OPAC. That's where RBAC (Role-Based Access Control) would be handy. If we could just create a permission policy that says "Anyone using the OPAC should be able to create public lists and edit them", and then the actual public lists they could edit would depend on the individual list's permissions. But... that'll take work. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- tl;dr I think that this is a growing pain and not a regression per se. If a staff user is editing the contents of a list, they need edit_public_list_contents. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 --- Comment #8 from David Cook <dcook@prosentient.com.au> --- (In reply to Andrew Fuerste-Henry from comment #2)
The manual says:
https://koha-community.org/manual/latest/en/html/lists.html#lists "Allow changes to contents from: decide who has permission to add or remove titles from the list
Nobody: this will close the list to contributions
Owner only: only you will be able to add or remove items from the list. If the list is public or shared, the OPAC users or sharers will not be able to change the list contents."
https://koha-community.org/manual//latest/en/html/patrons.html#lists-lists
"Important
All staff members have permission to create, modify and delete their own lists. These permissions are only necessary if you’d like to give a staff member permission to edit or delete public lists that they have not created."
We should always allow a list owner to edit the list, even if the list is public. The edit_public_lists permissions should only apply to public lists owned by others.
Of course, then I re-read the manual and I have to shake my head at past decisions... we've made increasingly poor decisions around new permissions in Koha. 'This permission gives the ability to change the contents of public lists that have the “Permitted staff only” permission.' It's so bizarre to have a list permission of "Permitted staff only" or "Staff only". -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=40392 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 Chip Halvorsen <Chip.Halvorsen@WestlakeLibrary.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Chip.Halvorsen@WestlakeLibr | |ary.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396 Koha collecto <koha@collecto.ca> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |koha@collecto.ca -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org