[Koha-bugs] [Bug 18403] Hide patron information if not part of the logged in user library group
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Feb 12 20:33:51 CET 2018
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18403
--- Comment #69 from Jonathan Druart <jonathan.druart at bugs.koha-community.org> ---
Created attachment 71506
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=71506&action=edit
Bug 18403: Add sub output_and_exit_if_error - unknown_patron &
cannot_see_patron_infos
Test plan:
Login with a patron that is not allowed to see patron's information for patrons
outside of his group. Try to access patron's information from scripts of the
patron
module (members/*) and circ/circulation.pl.
You should be able to access patron's information of patrons outside of your
group
and get "You are not allowed to see the information of this patron."
If you try and access a patron page with a borrowernumber that does not exist,
you
should get "This patron does not exist"
Technical note:
A new C4::Output subroutine is created in this patch:
"output_and_exit_if_error"
Executed at the beginning of the script it will permit not to copy/paste all
the
different checks to know if the logged in user is authorised to see patron's
information.
The design here can be discussed, but I did not find an alternative with as
less changes.
On the way I refactor what we did with 'unknowuser' previously: it will now
work with all
patron pages, not only the few that used it.
Note that the 'or die "Not logged in";' part should not be needed, but... who
trusts
C4::Auth?
I think it could be used as a safeguard later. I am willing to sed and remove
them
if required.
Changes in discharge.pl are mainly indentation changes.
With this patch we should now have a $patron variable that refer to the patron
we
want to access. That will be very useful to remove plenty of code in members/*
and
only pass this variable to the template (instead of 1 variable per patron's
attribute).
Signed-off-by: Signed-off-by: Jon McGowan <jon.mcgowan at ptfs-europe.com>
Signed-off-by: Jonathan Druart <jonathan.druart at bugs.koha-community.org>
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list