[Koha-bugs] [Bug 22868] Circulation staff with suggestions_manage can have access to acquisition data

Wed Jan 29 23:36:48 CET 2020

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=22868

Katrin Fischer <katrin.fischer at bsz-bw.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #97951|0                           |1
        is obsolete|                            |

--- Comment #27 from Katrin Fischer <katrin.fischer at bsz-bw.de> ---
Created attachment 98100
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=98100&action=edit
Bug 22868: Move suggestions_manage subperm out of acquisition perm

Bug 11911 replaced the permission of suggestions.pl (create a purchase
suggestion) from catalogue => 1 to acquisition => 'suggestions_manage'.
However we have a lot of acquisition scripts that have lax permissions
(acquisition => '*' which means any sub permissions of acquisition is
enough).

That causes problem when a circulation staff can create purchase
suggestions but not access acquisition information.

One solution is to move the suggestions_manage subpermission out of the
acquisition permission and create a new suggestion permission.

Test plan:
0. Setup
* Create a patron with several permission (and full acquisition
permission)
* Create another patron with several permission, and suggestions_manage
permission
* Create another patron without the suggestions_manage permission
1. Apply the patch and execute the update database entry
2. Note that the third patron you create still does not have
suggestions_manage
3. Confirm that you can create a purchase suggestion if you have
suggestions_manage, but cannot access acquisition pages if you do not
have any subpermissions of the acquisition permission

Signed-off-by: Hayley Mapley <hayleymapley at catalyst.net.nz>

Signed-off-by: Katrin Fischer <katrin.fischer.83 at web.de>

-- 
You are receiving this mail because:
You are watching all bug changes.