https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40001
Bug ID: 40001
Summary: edit_items permission allows deletion of individual
items. Should be separate.
Change sponsored?: ---
Product: Koha
Version: 24.11
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5 - low
Component: Cataloging
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
CC: [email protected]
Currently, the edit_items permission allows a user to delete individual items
using the "Action" button on the edit item page.
This behavior persists even when the user does not have the delete_all_items
permission, which is intended (according to documentation) to manage bulk
deletion.
This creates a permissions flaw: staff with rights to edit items can also
delete items, which may not always be desirable from a library’s operational or
security perspective.
Steps to Reproduce:
Create a staff account with only the edit_items permission (without
delete_all_items)
Go to: catalogue/itemsearch.pl
Edit an item (via cataloguing/additem.pl?op=edititem&...)
Click the Action button, then Delete the item
The item is deleted successfully — despite lacking delete_all_items permission
Expected Behavior:
There should be a separate delete_items permission for deleting individual
items
OR
Deleting any item (individual or bulk) should require the delete_all_items
permission.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
