[Bug 41269] New: Patrons subpermissions should be fetched with borrowernumber instead of userid
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Bug ID: 41269 Summary: Patrons subpermissions should be fetched with borrowernumber instead of userid Initiative type: --- Sponsorship --- status: Product: Koha Version: Main Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: emmi.takkinen@koha-suomi.fi QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org In Koha-Suomi libraries we use cardnumbers as userids. This is done with a database trigger which sets cardnumber as userid when user is saved to database. Mostly this works well, but occasionally we have faced problems with patrons seemingly having no subpermissions. Patrons subpermissions are fetched from database with method get_user_subpermissions based on their userid. So even if they are saved in database they are not displayed in Koha's UI if userid is missing. While this isn't a major problem it can be confusing for staff members if they have accidentally created a patron without cardnumber/userid and then try to save permissions for them which seemingly are not saved. Also full permissions for patrons are still displayed normally so for consistency it would be logical to use borrowernumber to fetch subpermissions instead of userid. Method get_user_subpermissions is used in two places, member-flags.pl to fetch subpermissions and about.pl to check that SCO patron doesn't have extra permissions. As far as I can see changing it to use patrons borrowernumber shouldn't have any dramatic side effects. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Emmi Takkinen <emmi.takkinen@koha-suomi.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Emmi Takkinen <emmi.takkinen@koha-suomi.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff Assignee|koha-bugs@lists.koha-commun |emmi.takkinen@koha-suomi.fi |ity.org | --- Comment #1 from Emmi Takkinen <emmi.takkinen@koha-suomi.fi> --- Created attachment 190103 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=190103&action=edit Bug 41269: Use borrowernumber to fetch patrons subpermissions Koha currently fetches patrons subpermissions with userid in method get_user_subpermissions. If for some reason patron doesn't have userid their subpermissions aren't displayed on Koha UI. Althougt this shouldn't really happen (unless there are some local use cases where userid can be empty), this method is only used to either display patrons subpermissions on page Set permissions or to check if SCO user only has SCO permissions. In both of these cases we can use patrons borrowernumber instead of userid since they check existing patrons permissions, not the ones for patron who is about to log into Koha. To test: 1. Apply this patch. 2. Enable sysprefs WebBasedSelfCheck and AutoSelfCheckAllowed and add some patrons userid to AutoSelfCheckID. 3. Make sure patron whose userid you used doesn't have permissions to use SCO and has other subpermissions instead. 4. Navigate to page About Koha>System infromation. => Confirm that warnings starting with "The patron used for the self-checkout..." are displayed. 5. Check patrons permissions. => Confirm that patrons subpermissions are displayed normally. Sponsored-by: Koha-Suomi Oy -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Emmi Takkinen <emmi.takkinen@koha-suomi.fi> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |trivial -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #190103|0 |1 is obsolete| | --- Comment #2 from David Nind <david@davidnind.com> --- Created attachment 190875 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=190875&action=edit Bug 41269: Use borrowernumber to fetch patrons subpermissions Koha currently fetches patrons subpermissions with userid in method get_user_subpermissions. If for some reason patron doesn't have userid their subpermissions aren't displayed on Koha UI. Althougt this shouldn't really happen (unless there are some local use cases where userid can be empty), this method is only used to either display patrons subpermissions on page Set permissions or to check if SCO user only has SCO permissions. In both of these cases we can use patrons borrowernumber instead of userid since they check existing patrons permissions, not the ones for patron who is about to log into Koha. To test: 1. Apply this patch. 2. Enable sysprefs WebBasedSelfCheck and AutoSelfCheckAllowed and add some patrons userid to AutoSelfCheckID. 3. Make sure patron whose userid you used doesn't have permissions to use SCO and has other subpermissions instead. 4. Navigate to page About Koha>System infromation. => Confirm that warnings starting with "The patron used for the self-checkout..." are displayed. 5. Check patrons permissions. => Confirm that patrons subpermissions are displayed normally. Sponsored-by: Koha-Suomi Oy Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com Keywords| |release-notes-needed -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl --- Comment #3 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Emmi Takkinen from comment #0)
In Koha-Suomi libraries we use cardnumbers as userids. This is done with a database trigger which sets cardnumber as userid when user is saved to database.
This seems risky to me. We also have a similar mixup already in the code. (I am using a plugin to copy email address to userid btw.) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- git grep get_user_subpermissions C4/Auth.pm: get_all_subpermissions get_cataloguing_page_permissions get_user_subpermissions in_iprange C4/Auth.pm: my $user_subperms = get_user_subpermissions($userid); C4/Auth.pm:=head2 get_user_subpermissions C4/Auth.pm: $user_perm_hashref = get_user_subpermissions($userid); C4/Auth.pm:sub get_user_subpermissions { C4/Auth.pm:has the same structure as that of C<get_user_subpermissions>, about.pl:use C4::Auth qw( get_template_and_user get_user_subpermissions ); about.pl: my $all_permissions = C4::Auth::get_user_subpermissions($borrowernumber); members/member-flags.pl:use C4::Auth qw( get_template_and_user get_all_subpermissions get_user_subpermissions ); members/member-flags.pl: my $user_perms = get_user_subpermissions( $bor->{'borrowernumber'} ); It looks like you forgot some places. I do agree that it is more logical to look for borrowernumber btw, although we often tend to keep the parameters of such longstanding routines the same. Note that plugins and customizations etc might use them too and will need attention locally. So this needs to be communicated clearly and should stand out in the release notes. Perhaps add an additional dbrev to print a warn. Or just keep the userid? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41269 --- Comment #5 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- And please add/adjust tests. -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org