[Bug 29509] New: GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug ID: 29509 Summary: GET /patrons* routes permissions excessive Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: REST API Assignee: koha-bugs@lists.koha-community.org Reporter: tomascohen@gmail.com The routes require full borrowers permissions, and that's not the case for Koha, generally. If required permissions were to be lowered, bug 29503 should be pushed first. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |29503 Status|NEW |In Discussion Assignee|koha-bugs@lists.koha-commun |tomascohen@gmail.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|29503 |29506, 29510 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29506 [Bug 29506] objects.search should call search_limited if present https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29510 [Bug 29510] objects.find should call search_limited if present -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jonathan.druart+koha@gmail. | |com, | |katrin.fischer@bsz-bw.de, | |nick@bywatersolutions.com --- Comment #1 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Based on moremember.pl we could do { borrowers => 'edit_borrowers' }. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #2 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- I wondering how our changes to objects.search and objects.find might affect public routes and seeing ones owned data? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #3 from Tomás Cohen Arazi <tomascohen@gmail.com> --- (In reply to Martin Renvoize from comment #2)
I wondering how our changes to objects.search and objects.find might affect public routes and seeing ones owned data?
That's a good question. It probably highlights the search_limited methods are too staff side oriented. I did this: $ git grep 'sub search_limited' Koha/ArticleRequests.pm:sub search_limited { Koha/Patron/Discharge.pm:sub search_limited { Koha/Patrons.pm:sub search_limited { Koha/Reviews.pm:sub search_limited { It feels like safe for now. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 29506, which changed state. Bug 29506 Summary: objects.search should call search_limited if present https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29506 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #4 from Tomás Cohen Arazi <tomascohen@gmail.com> --- We need a new 'list_borrowers' subpermission. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |30055 --- Comment #5 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to Tomás Cohen Arazi from comment #4)
We need a new 'list_borrowers' subpermission.
On top of bug 30055 please. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30055 [Bug 30055] Rewrite patron searches to make them use the REST API routes -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 30055, which changed state. Bug 30055 Summary: Rewrite some of the patron searches to make them use the REST API routes https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30055 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=32502 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=30230 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #4)
We need a new 'list_borrowers' subpermission.
That's my conclusion with bug 30230 as well. I was thinking "view_borrowers" but "list_borrowers" might be better. We'd need to add it to "member.pl" as well as that provides a page which calls the /patrons* routes to populate the data table. I think bug 29523 will become more and more relevant there as well... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Tomás Cohen Arazi from comment #4)
We need a new 'list_borrowers' subpermission.
I think we do, and we could retrospectively add it to any patron account that has "edit_borrowers" during the upgrade, so really there's no reason not to. I don't know why I didn't think to do this earlier in the release cycle... -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=35381 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #8 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I am not sure I understand the difference between view and list, can you explain? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to Katrin Fischer from comment #8)
I am not sure I understand the difference between view and list, can you explain?
To me, I think "list" would align better with the REST API. It would be a permission that lets you GET a list of borrowers. For the patron detail page, I suppose that might be a list of 1 borrower conceptually... I suggested "view" since it implies a read-only permission but it doesn't really describe much beyond that? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|tomascohen@gmail.com |martin.renvoize@ptfs-europe | |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |35773 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 [Bug 35773] Cannot create bookings without circulation permissions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|35773 | Depends on| |35773 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 [Bug 35773] Cannot create bookings without circulation permissions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #10 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Can we be even clearer here somehow? i.e. should it be 'list_`something`_borrowers' (and whilst we're here can we swap out 'borrowers' for 'users' as it affect both borrowers and staff 'users'. The reason I add the 'something' in the middle is that I want it made clear this permission only allows the end api consumer to see the users they should be able to see (i.e. limited by library or library group depending on settings, vs the 'view_borrower_infos_from_any_library' option that expands that list significantly.. in theory at least) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #11 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- David goes ahead and adds the list_borrowers permission in bug 30230 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #12 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- We should use this bug to clean up the old permissions on the endpoint. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |30230 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230 [Bug 30230] Search for patrons in checkout should not require edit_borrowers permission -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|In Discussion |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #13 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 161256 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161256&action=edit Bug 29509: WIP - Start of DB and specification update -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #14 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Just some scaffolding to show what I'm planning here. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #15 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 161268 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161268&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #161268|0 |1 is obsolete| | --- Comment #16 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 161269 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161269&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #161269|0 |1 is obsolete| | --- Comment #17 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 161270 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161270&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #161256|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #161270|0 |1 is obsolete| | --- Comment #18 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 161271 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161271&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin AUBEUT <martin.aubeut@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.aubeut@gmail.com --- Comment #19 from Martin AUBEUT <martin.aubeut@gmail.com> --- (In reply to Martin Renvoize from comment #18)
Created attachment 161271 [details] [review] Bug 29509: Update swagger specification and add permissions to users
This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint.
We then assign the new 'list_borrowers' permission to any users who have those removed permissions
Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users
For your information, this is the routes {staff_url}/api/v1/patrons During the test plan, we needed more details about the locations related to : manage_bookings, lable_creator, routing, order_manage. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |Sandbox -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #20 from David Cook <dcook@prosentient.com.au> --- I think I like this idea. I don't love the idea of "implicit" permissions for list_borrowers for things like "circulation > manage_bookings", so good to be explicit. (And to add the permissions for current users so it's not a breaking change.) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #21 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- I'm keen to use hackfest to try to progress a bit on role based access control. Our current 0ermissions are frankly a bit of a mess with the split really not working well for the API in many cases. I'm envisaging a bit of a move to having a single list of crud based permissions for each endpoint and then using roles to group those permissions around functional requirements allowing permissions to be added as required to multiple roles and then roles assigned to end users, sometimes multiple roles. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |victor@tuxayo.net --- Comment #22 from Victor Grousset/tuxayo <victor@tuxayo.net> ---
2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too.
I took a borrower, gave them - catalogue - manage_bookings - edit_borrowers - order_manage - label_creator - routing to turn them info a librarian with the minimal permission for the tasks that relate to list_borrowers then - apply patch & dep - updatedatabase (dbrev printed as expected) - restart_all - opened the permission page they still don't have list_borrowers permission! :o Any idea about what could be missing? No reason for them to be caught in @exclusions so I don't know why they don't have the permission. ---
3) Check that patron searching continues to work from the various locations in the UI for the above affected users
For the next step when I'll be able to reach it, should I remove - manage_bookings - edit_borrowers - order_manage - label_creator - routing otherwise, that doesn't test at all that list_borrowers is really there. Vs just look at the permission page. Or maybe all the related features don't yet use list_borrowers? If they do use, then it's supposed to be already tested. But I don't mind double-checking if that looks relevant here. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Pedro Amorim <pedro.amorim@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |pedro.amorim@ptfs-europe.co | |m -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #161271|0 |1 is obsolete| | --- Comment #23 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 162579 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162579&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #24 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 162580 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162580&action=edit Bug 29509: Correction to bitwise check I was using it wrong :( -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #25 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Thanks for testing Victor.. you did indeed highlight an issue with my database update... (I always struggle with these bitwise ops) The follow-up corrects the DB update. No, don't remove those permissions from the users, they need to be left in place else the features are disabled entirely for the user. The permissions are removed from the api schema.. so the requirement is to perform a patron search from each of those features and confirm the patron search still works.. if it doesn't then the permission wasn't added correctly. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #162579|0 |1 is obsolete| | --- Comment #26 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 162690 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162690&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #162580|0 |1 is obsolete| | --- Comment #27 from Victor Grousset/tuxayo <victor@tuxayo.net> --- Created attachment 162691 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162691&action=edit Bug 29509: Correction to bitwise check I was using it wrong :( Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo <victor@tuxayo.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off --- Comment #28 from Victor Grousset/tuxayo <victor@tuxayo.net> --- (In reply to Martin Renvoize from comment #25)
Thanks for testing Victor.. you did indeed highlight an issue with my database update... (I always struggle with these bitwise ops)
The follow-up corrects the DB update.
No, don't remove those permissions from the users, they need to be left in place else the features are disabled entirely for the user.
Oh right, I won't be able to get to the view that uses the search. --- It works! :) Testing notes: - manage_bookings: search a patron to make a booking - edit_borrowers: search a guarantor when editing a patron - order_manage: search a patron in the form for new order - label_creator: search a patron when creating a new batch - routing: search a patron as a recipient in the "create routing list" form -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 35773, which changed state. Bug 35773 Summary: Cannot create bookings without edit_borrowers, label_creator, routing or order_manage permissions https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA QA Contact| |m.de.rooy@rijksmuseum.nl CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #162690|0 |1 is obsolete| | --- Comment #29 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 164461 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164461&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> [EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #162691|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #30 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- This still needs a bit of attention. If I add a user with Tools permission, he wont get the list_borrowers since you only check user_permissions. But you should also check flags. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #31 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Looking at the dbrev, I am wondering if we should do just one query instead of the whole bunch one at a time. Could be useful to print the number of added permissions? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #32 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Marcel de Rooy from comment #30)
This still needs a bit of attention.
If I add a user with Tools permission, he wont get the list_borrowers since you only check user_permissions. But you should also check flags.
Same for the others obviously. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #33 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 166280 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166280&action=edit Bug 29509: (QA follow-up) Check top level permissions too -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #34 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- It's beyond my brain to work out how to accomplish this in fewer SQL queries.. but I have resolved the lack of top level group permissions checking. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|Sandbox |rel_24_05_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Kyle M Hall <kyle@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #164461|0 |1 is obsolete| | Attachment #166280|0 |1 is obsolete| | --- Comment #35 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 169235 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169235&action=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users Signed-off-by: Victor Grousset/tuxayo <victor@tuxayo.net> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> [EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :) Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #36 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 169236 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169236&action=edit Bug 29509: (QA follow-up) Check top level permissions too Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #37 from Kyle M Hall <kyle@bywatersolutions.com> --- Created attachment 169237 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=169237&action=edit Bug 29509: (QA follow-up) Tidy atomic update Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |24.11.00 released in| | Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #38 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Thanks for all the hard work! Pushed to main for the next 24.11.00 release as RM Assistant -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|24.11.00 |24.11.00,24.05.04 released in| | Status|Pushed to main |Pushed to stable CC| |lucas@bywatersolutions.com --- Comment #39 from Lucas Gass <lucas@bywatersolutions.com> --- Backported to 24.05.x for upcoming 24.05.04 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|rel_24_05_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |Pushed to oldstable CC| |fridolin.somers@biblibre.co | |m Version(s)|24.11.00,24.05.04 |24.11.00,24.05.04,23.11.09 released in| | --- Comment #40 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.11.x for 23.11.09 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 wainuiwitikapark@catalyst.net.nz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wainuiwitikapark@catalyst.n | |et.nz --- Comment #41 from wainuiwitikapark@catalyst.net.nz --- Not backporting to 23.05.x unless requested -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 29510, which changed state. Bug 29510 Summary: objects.find should call search_limited if present https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29510 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldoldoldstable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to oldstable |Needs documenting --- Comment #42 from Wainui Witika-Park <wainuiwitikapark@catalyst.net.nz> --- Not backporting to 22.11 unless requested -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|Needs documenting |RESOLVED CC| |caroline.cyr-la-rose@inlibr | |o.com --- Comment #43 from Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> ---
From what I understand, this doesn't change anything in the features. Nothing to add/edit in the manual. Please reopen with more information if necessary.
-- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org