[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added CC||tomasco...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Keywords|Sandbox |rel_24_05_candidate -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #34 from Martin Renvoize --- It's beyond my brain to work out how to accomplish this in fewer SQL queries.. but I have resolved the lack of top level group permissions checking. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Status|Failed QA |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #33 from Martin Renvoize --- Created attachment 166280 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=166280=edit Bug 29509: (QA follow-up) Check top level permissions too -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #32 from Marcel de Rooy --- (In reply to Marcel de Rooy from comment #30) > This still needs a bit of attention. > > If I add a user with Tools permission, he wont get the list_borrowers since > you only check user_permissions. But you should also check flags. Same for the others obviously. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #31 from Marcel de Rooy --- Looking at the dbrev, I am wondering if we should do just one query instead of the whole bunch one at a time. Could be useful to print the number of added permissions? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #30 from Marcel de Rooy --- This still needs a bit of attention. If I add a user with Tools permission, he wont get the list_borrowers since you only check user_permissions. But you should also check flags. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy changed: What|Removed |Added Attachment #162691|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy changed: What|Removed |Added Attachment #162690|0 |1 is obsolete|| --- Comment #29 from Marcel de Rooy --- Created attachment 164461 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=164461=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users Signed-off-by: Victor Grousset/tuxayo Signed-off-by: Marcel de Rooy [EDIT] Incorporated second patch and removed 1<<4. 16 reads much better :) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Marcel de Rooy changed: What|Removed |Added Status|Signed Off |Failed QA QA Contact||m.de.r...@rijksmuseum.nl CC||m.de.r...@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 35773, which changed state. Bug 35773 Summary: Cannot create bookings without edit_borrowers, label_creator, routing or order_manage permissions https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 What|Removed |Added Status|Pushed to stable|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo changed: What|Removed |Added Status|Needs Signoff |Signed Off --- Comment #28 from Victor Grousset/tuxayo --- (In reply to Martin Renvoize from comment #25) > Thanks for testing Victor.. you did indeed highlight an issue with my > database update... (I always struggle with these bitwise ops) > > The follow-up corrects the DB update. > > No, don't remove those permissions from the users, they need to be left in > place else the features are disabled entirely for the user. Oh right, I won't be able to get to the view that uses the search. --- It works! :) Testing notes: - manage_bookings: search a patron to make a booking - edit_borrowers: search a guarantor when editing a patron - order_manage: search a patron in the form for new order - label_creator: search a patron when creating a new batch - routing: search a patron as a recipient in the "create routing list" form -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo changed: What|Removed |Added Attachment #162580|0 |1 is obsolete|| --- Comment #27 from Victor Grousset/tuxayo --- Created attachment 162691 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162691=edit Bug 29509: Correction to bitwise check I was using it wrong :( Signed-off-by: Victor Grousset/tuxayo -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo changed: What|Removed |Added Attachment #162579|0 |1 is obsolete|| --- Comment #26 from Victor Grousset/tuxayo --- Created attachment 162690 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162690=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users Signed-off-by: Victor Grousset/tuxayo -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #25 from Martin Renvoize --- Thanks for testing Victor.. you did indeed highlight an issue with my database update... (I always struggle with these bitwise ops) The follow-up corrects the DB update. No, don't remove those permissions from the users, they need to be left in place else the features are disabled entirely for the user. The permissions are removed from the api schema.. so the requirement is to perform a patron search from each of those features and confirm the patron search still works.. if it doesn't then the permission wasn't added correctly. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #24 from Martin Renvoize --- Created attachment 162580 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162580=edit Bug 29509: Correction to bitwise check I was using it wrong :( -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Attachment #161271|0 |1 is obsolete|| --- Comment #23 from Martin Renvoize --- Created attachment 162579 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=162579=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Pedro Amorim changed: What|Removed |Added CC||pedro.amo...@ptfs-europe.co ||m -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo changed: What|Removed |Added CC||vic...@tuxayo.net --- Comment #22 from Victor Grousset/tuxayo --- > 2) Users with any of the permissions listed above should now also have > the 'list_borrowers' permission too. I took a borrower, gave them - catalogue - manage_bookings - edit_borrowers - order_manage - label_creator - routing to turn them info a librarian with the minimal permission for the tasks that relate to list_borrowers then - apply patch & dep - updatedatabase (dbrev printed as expected) - restart_all - opened the permission page they still don't have list_borrowers permission! :o Any idea about what could be missing? No reason for them to be caught in @exclusions so I don't know why they don't have the permission. --- > 3) Check that patron searching continues to work from the various locations in the UI for the above affected users For the next step when I'll be able to reach it, should I remove - manage_bookings - edit_borrowers - order_manage - label_creator - routing otherwise, that doesn't test at all that list_borrowers is really there. Vs just look at the permission page. Or maybe all the related features don't yet use list_borrowers? If they do use, then it's supposed to be already tested. But I don't mind double-checking if that looks relevant here. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #21 from Martin Renvoize --- I'm keen to use hackfest to try to progress a bit on role based access control. Our current 0ermissions are frankly a bit of a mess with the split really not working well for the API in many cases. I'm envisaging a bit of a move to having a single list of crud based permissions for each endpoint and then using roles to group those permissions around functional requirements allowing permissions to be added as required to multiple roles and then roles assigned to end users, sometimes multiple roles. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #20 from David Cook --- I think I like this idea. I don't love the idea of "implicit" permissions for list_borrowers for things like "circulation > manage_bookings", so good to be explicit. (And to add the permissions for current users so it's not a breaking change.) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Victor Grousset/tuxayo changed: What|Removed |Added Keywords||Sandbox -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin AUBEUT changed: What|Removed |Added CC||martin.aub...@gmail.com --- Comment #19 from Martin AUBEUT --- (In reply to Martin Renvoize from comment #18) > Created attachment 161271 [details] [review] > Bug 29509: Update swagger specification and add permissions to users > > This patch removes the 'edit_borrowers', 'manage_bookings', > 'lable_creator', 'routing' and 'order_manage' permissions from the list > of options in the patrons list endpoint. > > We then assign the new 'list_borrowers' permission to any users who have > those removed permissions > > Test plan > 1) Apply patch and run the database update > 2) Users with any of the permissions listed above should now also have >the 'list_borrowers' permission too. > 3) Check that patron searching continues to work from the various >locations in the UI for the above affected users For your information, this is the routes {staff_url}/api/v1/patrons During the test plan, we needed more details about the locations related to : manage_bookings, lable_creator, routing, order_manage. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Attachment #161270|0 |1 is obsolete|| --- Comment #18 from Martin Renvoize --- Created attachment 161271 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161271=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions Test plan 1) Apply patch and run the database update 2) Users with any of the permissions listed above should now also have the 'list_borrowers' permission too. 3) Check that patron searching continues to work from the various locations in the UI for the above affected users -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Attachment #161256|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Attachment #161269|0 |1 is obsolete|| --- Comment #17 from Martin Renvoize --- Created attachment 161270 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161270=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Attachment #161268|0 |1 is obsolete|| --- Comment #16 from Martin Renvoize --- Created attachment 161269 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161269=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #15 from Martin Renvoize --- Created attachment 161268 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161268=edit Bug 29509: Update swagger specification and add permissions to users This patch removes the 'edit_borrowers', 'manage_bookings', 'lable_creator', 'routing' and 'order_manage' permissions from the list of options in the patrons list endpoint. We then assign the new 'list_borrowers' permission to any users who have those removed permissions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #14 from Martin Renvoize --- Just some scaffolding to show what I'm planning here. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #13 from Martin Renvoize --- Created attachment 161256 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=161256=edit Bug 29509: WIP - Start of DB and specification update -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Status|In Discussion |ASSIGNED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Depends on||30230 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30230 [Bug 30230] Search for patrons in checkout should not require edit_borrowers permission -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #12 from Martin Renvoize --- We should use this bug to clean up the old permissions on the endpoint. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #11 from Martin Renvoize --- David goes ahead and adds the list_borrowers permission in bug 30230 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #10 from Martin Renvoize --- Can we be even clearer here somehow? i.e. should it be 'list_`something`_borrowers' (and whilst we're here can we swap out 'borrowers' for 'users' as it affect both borrowers and staff 'users'. The reason I add the 'something' in the middle is that I want it made clear this permission only allows the end api consumer to see the users they should be able to see (i.e. limited by library or library group depending on settings, vs the 'view_borrower_infos_from_any_library' option that expands that list significantly.. in theory at least) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Blocks|35773 | Depends on||35773 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 [Bug 35773] Cannot create bookings without circulation permissions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Blocks||35773 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35773 [Bug 35773] Cannot create bookings without circulation permissions -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Martin Renvoize changed: What|Removed |Added Assignee|tomasco...@gmail.com|martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #9 from David Cook --- (In reply to Katrin Fischer from comment #8) > I am not sure I understand the difference between view and list, can you > explain? To me, I think "list" would align better with the REST API. It would be a permission that lets you GET a list of borrowers. For the patron detail page, I suppose that might be a list of 1 borrower conceptually... I suggested "view" since it implies a read-only permission but it doesn't really describe much beyond that? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #8 from Katrin Fischer --- I am not sure I understand the difference between view and list, can you explain? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 David Cook changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=35381 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #7 from David Cook --- (In reply to Tomás Cohen Arazi from comment #4) > We need a new 'list_borrowers' subpermission. I think we do, and we could retrospectively add it to any patron account that has "edit_borrowers" during the upgrade, so really there's no reason not to. I don't know why I didn't think to do this earlier in the release cycle... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #6 from David Cook --- (In reply to Tomás Cohen Arazi from comment #4) > We need a new 'list_borrowers' subpermission. That's my conclusion with bug 30230 as well. I was thinking "view_borrowers" but "list_borrowers" might be better. We'd need to add it to "member.pl" as well as that provides a page which calls the /patrons* routes to populate the data table. I think bug 29523 will become more and more relevant there as well... -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Jonathan Druart changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=30230 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 David Cook changed: What|Removed |Added CC||dc...@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=32502 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 30055, which changed state. Bug 30055 Summary: Rewrite some of the patron searches to make them use the REST API routes https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30055 What|Removed |Added Status|Pushed to master|RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Jonathan Druart changed: What|Removed |Added Depends on||30055 --- Comment #5 from Jonathan Druart --- (In reply to Tomás Cohen Arazi from comment #4) > We need a new 'list_borrowers' subpermission. On top of bug 30055 please. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30055 [Bug 30055] Rewrite patron searches to make them use the REST API routes -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #4 from Tomás Cohen Arazi --- We need a new 'list_borrowers' subpermission. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Bug 29509 depends on bug 29506, which changed state. Bug 29506 Summary: objects.search should call search_limited if present https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29506 What|Removed |Added Status|Pushed to oldstable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #3 from Tomás Cohen Arazi --- (In reply to Martin Renvoize from comment #2) > I wondering how our changes to objects.search and objects.find might affect > public routes and seeing ones owned data? That's a good question. It probably highlights the search_limited methods are too staff side oriented. I did this: $ git grep 'sub search_limited' Koha/ArticleRequests.pm:sub search_limited { Koha/Patron/Discharge.pm:sub search_limited { Koha/Patrons.pm:sub search_limited { Koha/Reviews.pm:sub search_limited { It feels like safe for now. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 --- Comment #2 from Martin Renvoize --- I wondering how our changes to objects.search and objects.find might affect public routes and seeing ones owned data? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi changed: What|Removed |Added CC||jonathan.druart+koha@gmail. ||com, ||katrin.fisc...@bsz-bw.de, ||n...@bywatersolutions.com --- Comment #1 from Tomás Cohen Arazi --- Based on moremember.pl we could do { borrowers => 'edit_borrowers' }. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi changed: What|Removed |Added Depends on|29503 |29506, 29510 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29506 [Bug 29506] objects.search should call search_limited if present https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29510 [Bug 29510] objects.find should call search_limited if present -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi changed: What|Removed |Added CC||martin.renvoize@ptfs-europe ||.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 29509] GET /patrons* routes permissions excessive
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29509 Tomás Cohen Arazi changed: What|Removed |Added Depends on||29503 Status|NEW |In Discussion Assignee|koha-b...@lists.koha-commun |tomasco...@gmail.com |ity.org | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/