[Koha-bugs] [Bug 7290] new permission for receiving
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Mar 23 08:01:20 CET 2015
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=7290
Katrin Fischer <katrin.fischer at bsz-bw.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Signed Off |Failed QA
--- Comment #57 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Hm, some thoughts on permission management in acq for the parcel list:
- I have removed all _all permissions from my staff patron
- I have set AcqViewBaskets to 'created or managed by staff member'
I can't access a basket now, that belongs to another library and was also
created by another staff user than me.
But: On the parcel page, I can still see all the information about the orders.
I can't receive them (good!), but I can still delete and transfer the orders
(not good!)
Thinking about big libraries and the need to hide information from others, I
feel like there should be a combination of permissions here, that results in me
not seeing the order lines of other libraries at all.
I'd expect the combination above should do it, but it doesn't.
When I also remove the 'order_manage' permission, I get a permission error on
clicking 'transfer' and 'delete' - but the links shouldn't be showing in the
first place.
I think the current situation is not very good here :(
The feature itself seems to be working ok, only found a small bug so far:
Manipulating the URL to gain access to an order I cannot receive it displays a
nice error message, but there is a small error in the heading on the page:
Receive items from : Books Books Books [HASH(0x530f938)] (order #138)
Waiting for the follow-ups and giving the permission problem some more thought.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list