https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35227
--- Comment #3 from Marcel de Rooy <[email protected]> --- What is the best way to move forward here? Some options to think about: [1] Just removing label_creator, routing and order_manage from GET patrons is probably too simple. We may need a list of patron IDs and a name for some of these associated forms. [2] Could we go via public_patrons.yaml somehow on those staff forms ? It sounds weird to do so for a staff form. [3] Be strictier in can_see_things_from. Currently, the can = 1 for own branch allows this to happen. But how to refine that check exactly ? What would be the impact on other calls ? Note: The following line on the set permissions forms is misleading: "View patron infos from any libraries. If not set the logged in user could only access patron infos from its own library or group of libraries. (view_borrower_infos_from_any_libraries)" This is not true. If you gave acevedo only the abovelisted permissions, he is not EVEN able to access his OWN account info on staff (but he can on OPAC). He cannot see other accounts at all. [4] Given that can_see_things_from should still return 1 when not touching that sub, could we refine with something similar to unredact_list that we do now only when is_accessible returns false ? We feel the need here to provide some columns for staff but not immediately all columns, say staff_read_list ? Your feedback is welcome. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
