#855: BibEdit: improve per-collection cataloguing authorisation check
---------------------+----------------------
Reporter: simko | Owner: jmartinm
Type: defect | Status: new
Priority: major | Milestone:
Component: BibEdit | Version:
Keywords: |
---------------------+----------------------
Imagine a cataloguer being authorised to edit records for some collection
only, say Poetry. When this cataloguer tries to open a new record, or
clone an existing poetry record, the new edit is obviously not indexed
yet, and the collection check that BibEdit performs (via
`guess_primary_collection_of_a_record()`) therefore does not find the new
edit in the Poetry collection, and refuses otherwise reasonable editing
action. It seems our current check is too strict in this area.
One way to solve this problem would be to also check on-the-fly whether
MARCXML constructed by the cataloguer satisfies criteria for the
collection(s) he/she is authorised to edit.
Once implemented, several web test cases should be written for this
functionality, because now we are too strict, but loosening the check too
much in the other direction could eventually lead to security issues such
as cataloguer cloning from authorised collection but submitting to a non-
authorised one. So we'd better enrich our test cases to check for these
possibilities.
--
Ticket URL: <http://invenio-software.org/ticket/855>
Invenio <http://invenio-software.org>
