http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=5986
Bug #: 5986
Summary: Inconsistent handling of patron deletion permission
Classification: Unclassified
Change sponsored?: ---
Product: Koha
Version: master
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: Patrons
AssignedTo: [email protected]
ReportedBy: [email protected]
QAContact: [email protected]
CC: [email protected]
In some places the permission to delete patrons is governed by whether or not
the user has the "borrowers" permission set: "Add or modify borrowers." In
moremember.pl there is a different check governed by a "candeleteuser" variable
(line 386):
my $candeleteuser;
my $userenv = C4::Context->userenv;
if($userenv->{flags} % 2 == 1){
$candeleteuser = 1;
}elsif ( C4::Context->preference("IndependantBranches") ) {
$candeleteuser = ( $data->{'branchcode'} eq $userenv->{branch} );
}else{
if( C4::Auth::getuserflags(
$userenv->{flags},$userenv->{number})->{borrowers} ) {
$candeleteuser = 1;
}else{
$candeleteuser = 0;
}
}
This means that a user viewing a patron record on moremember.pl might have
different delete permissions than the same user viewing a patron record in
circulation or another patron-related page. A user prevented from deleting by
moremember.pl could switch to another page and delete from there.
--
Configure bugmail:
http://bugs.koha-community.org/bugzilla3/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA Contact for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
