https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40396
--- Comment #3 from David Cook <[email protected]> --- Hmm this is an interesting one. We've certainly got ourselves into a bit of a situation by having permissions at the borrower level, permissions at the list level, sysprefs like OpacAllowPublicListCreation which also shows that we have different permissions for 2 different interfaces (ie staff and OPAC), and sysprefs which touch both interfaces like "virtualshelves". I was looking at the list code recently as I was working on adding permissions for controlling Private Lists (bug 39372 and bug 39376), and the list code is... not great. -- Overall, we want to be able to restrict permissions, so that only authorized patrons can perform operations on private lists and public lists. To date, we've assumed that if "virtualshelves" is enabled, then anyone (staff or OPAC) is authorized at the borrower level to create private lists, and then there are the 5 list permissions which can be assigned to that. Over time, we've started adding more permissions around public lists for staff users. And as I write this out... I realise that they're trivial to bypass by just using the OPAC. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
