[Koha-bugs] [Bug 5986] New: Inconsistent handling of patron deletion permission
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 29 14:28:26 CEST 2011
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5986
Bug #: 5986
Summary: Inconsistent handling of patron deletion permission
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Patrons
AssignedTo: kyle.m.hall at gmail.com
ReportedBy: oleonard at myacpl.org
QAContact: koha-bugs at lists.koha-community.org
CC: gmcharlt at gmail.com
In some places the permission to delete patrons is governed by whether or not
the user has the "borrowers" permission set: "Add or modify borrowers." In
moremember.pl there is a different check governed by a "candeleteuser" variable
(line 386):
my $candeleteuser;
my $userenv = C4::Context->userenv;
if($userenv->{flags} % 2 == 1){
$candeleteuser = 1;
}elsif ( C4::Context->preference("IndependantBranches") ) {
$candeleteuser = ( $data->{'branchcode'} eq $userenv->{branch} );
}else{
if( C4::Auth::getuserflags(
$userenv->{flags},$userenv->{number})->{borrowers} ) {
$candeleteuser = 1;
}else{
$candeleteuser = 0;
}
}
This means that a user viewing a patron record on moremember.pl might have
different delete permissions than the same user viewing a patron record in
circulation or another patron-related page. A user prevented from deleting by
moremember.pl could switch to another page and delete from there.
--
Configure bugmail: http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
More information about the Koha-bugs
mailing list