[Koha-bugs] [Bug 37392] New: Edit item permission by library group is broken

[bugzilla-daemon--- via Koha-bugs]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=37392

            Bug ID: 37392
           Summary: Edit item permission by library group is broken
 Change sponsored?: ---
           Product: Koha
           Version: Main
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5 - low
         Component: Cataloging
          Assignee: koha-bugs@lists.koha-community.org
          Reporter: katrin.fisc...@bsz-bw.de
        QA Contact: testo...@bugs.koha-community.org
                CC: k...@bywatersolutions.com, m.de.r...@rijksmuseum.nl,
                    martin.renvo...@ptfs-europe.com, tomasco...@gmail.com
        Depends on: 29523

The library groups allow to set up library groups within the staff users can
edit each others items. This was introduced in 23.05, but is now broken in
23.11.

It's not possible for a staff user to edit another libraries items now in some
circumstances.

Test plan:

Set up library group:
* Create a library group for library A + B
* Action: Limit item editing by group

Set up test user:
* Create a staff patron with these permissions:
  * catalogue
  * fast_cataloguing
  * edit_items
  * view_borrower_infos_from_any_libraries
  * edit borrowers
* Home library: library A

Set up test items:
* Create a record with 3 items with different home libraries:
  * A 
  * B
  * C

We expect the user will be allowed to edit A and B, but not C.

Test:
* Test editing the items with the test user, only A is allowed to be edited.   
* Remove the view_borrower_infos_from_any_libraries permission from test user.
* Test editing items now behaves as expected: A + B are allowed, C is not.


-----
After some digging to understand the change of behavior noticed between 23.05
and 23.11:

I believe commit 2c502d32 to be the culprit.
item.can_be_edit uses Patron::can_edit_item_from which calls
can_see_things_from.

The commit removed the library group specific code and introduced a call to
libraries_where_can_see_patrons instead, probably assuming the thing was always
a patron record. But here it is an item record.

Thinking we should not use "thing" in method names without at least explaining
what thing can be...


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29523
[Bug 29523] Add a way to prevent embedding objects that should not be allowed
-- 
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
Koha-bugs@lists.koha-community.org
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/