[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Fridolin Somers changed: What|Removed |Added Status|Pushed to stable|Needs documenting -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #29 from Fridolin Somers --- Does not apply on 24.11.x, maybe an import of Bug 38993 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Fridolin Somers changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=38993 CC||[email protected] ||m -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #28 from Paul Derscheid --- Nice work everyone! Pushed to 25.05.x -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Paul Derscheid changed: What|Removed |Added Version(s)|25.11.00|25.11.00,25.05.06 released in|| Status|Pushed to main |Pushed to stable -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #27 from Lucas Gass (lukeg) --- Nice work everyone! Pushed to main for 25.11 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Lucas Gass (lukeg) changed: What|Removed |Added Version(s)||25.11.00 released in|| Status|Passed QA |Pushed to main -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #26 from Matt Blenkinsop --- (In reply to Jonathan Druart from comment #23) > Note for QA: shouldn't we then remove the resource_type parameter from the > admin route? /extended_attribute_types > We can still use the regular 'q' for filtering. I don't see this as critical atm, can be a follow-up bug I've added a unit test to check the wrapper -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added QA Contact|[email protected] |[email protected] |y.org |o.uk Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #25 from Matt Blenkinsop --- Created attachment 189159 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189159&action=edit Bug 38446: Add a unit test for the additional fields wrapper Signed-off-by: Matt Blenkinsop -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added Attachment #189013|0 |1 is obsolete|| --- Comment #24 from Matt Blenkinsop --- Created attachment 189158 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189158&action=edit Bug 38446: Add a dedicated route to retrieve ERM-related additional fields In order to prevent permission errors to user without the 'parameters' permission we are introducing a separate endpoint for the ERM module to retrieve additional fields for this specific module. * Adds a new endpoint /erm/extended_attribute_types * Adjusts Cypress and REST API tests * Adds REST API swagger specs I wanted to keep the code as simple as possible and decided to create a wrapper for the additional fields API client. The magic is in koha-tmpl/intranet-tmpl/prog/js/fetch/additional-fields-api-client.js Ideally we should provide a test for this but I failed to write them. If required by QA I would suggest to deal with them on a separate bug to not delay this bugfix. The code has been kept designed to be used in other contexts but the api client is not used outside of Vue and outside of the ERM module. Test plan: Confirm that user without the 'parameters' permission can use the ERM module with additional fields. Sponsored-by: Karlsruhe Institute of Technology (KIT) Signed-off-by: Michaela Sieber Signed-off-by: Matt Blenkinsop -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #23 from Jonathan Druart --- Note for QA: shouldn't we then remove the resource_type parameter from the admin route? /extended_attribute_types We can still use the regular 'q' for filtering. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Michaela Sieber changed: What|Removed |Added Status|Needs Signoff |Signed Off Priority|P5 - low|P2 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 OpenFifth Sandboxes changed: What|Removed |Added Attachment #189010|0 |1 is obsolete|| --- Comment #22 from OpenFifth Sandboxes --- Created attachment 189013 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189013&action=edit Bug 38446: Add a dedicated route to retrieve ERM-related additional fields In order to prevent permission errors to user without the 'parameters' permission we are introducing a separate endpoint for the ERM module to retrieve additional fields for this specific module. * Adds a new endpoint /erm/extended_attribute_types * Adjusts Cypress and REST API tests * Adds REST API swagger specs I wanted to keep the code as simple as possible and decided to create a wrapper for the additional fields API client. The magic is in koha-tmpl/intranet-tmpl/prog/js/fetch/additional-fields-api-client.js Ideally we should provide a test for this but I failed to write them. If required by QA I would suggest to deal with them on a separate bug to not delay this bugfix. The code has been kept designed to be used in other contexts but the api client is not used outside of Vue and outside of the ERM module. Test plan: Confirm that user without the 'parameters' permission can use the ERM module with additional fields. Sponsored-by: Karlsruhe Institute of Technology (KIT) Signed-off-by: Michaela Sieber -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Jonathan Druart changed: What|Removed |Added Attachment #183133|0 |1 is obsolete|| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #21 from Jonathan Druart --- Created attachment 189010 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189010&action=edit Bug 38446: Add a dedicated route to retrieve ERM-related additional fields In order to prevent permission errors to user without the 'parameters' permission we are introducing a separate endpoint for the ERM module to retrieve additional fields for this specific module. * Adds a new endpoint /erm/extended_attribute_types * Adjusts Cypress and REST API tests * Adds REST API swagger specs I wanted to keep the code as simple as possible and decided to create a wrapper for the additional fields API client. The magic is in koha-tmpl/intranet-tmpl/prog/js/fetch/additional-fields-api-client.js Ideally we should provide a test for this but I failed to write them. If required by QA I would suggest to deal with them on a separate bug to not delay this bugfix. The code has been kept designed to be used in other contexts but the api client is not used outside of Vue and outside of the ERM module. Test plan: Confirm that user without the 'parameters' permission can use the ERM module with additional fields. Sponsored-by: Karlsruhe Institute of Technology (KIT) -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Jonathan Druart changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Jonathan Druart changed: What|Removed |Added Sponsorship status|--- |Sponsored Status|In Discussion |ASSIGNED Assignee|[email protected] |[email protected] |o.uk| -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #19 from Jonathan Druart --- (In reply to Pedro Amorim from comment #14) > (In reply to Jonathan Druart from comment #7) > > I don't this this is correct. > > > > We need a separate route to retrieve the ERM's attributes. Or should it be > > in /erm/config? > > > > IMO we don't want to give access to the attributes of other modules if the > > permissions is not set. > > I sort of agree with this but having to have a specific endpoint for every > new resource that adopts extended attributes would be a bit overkill? I personally don't think it's overkill, and I still think it's what we should do. eg. /erm/additional_fields > How about just put 'catalogue' : 1 as permission, and handle the permissions > logic in the REST controller itself? Yes, that's another possible option. /additional_fields would return all the fields depending on the user's permissions. It will be easier to integrate with the changes made by bug 38201 (and the RelationshipTableDisplay.vue component). -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #20 from Tomás Cohen Arazi (tcohen) --- * I don't agree with making ERM permission grant full access to resources they shouldn't have access to. * Adding a scoped endpoint (/additional_fields/erm or /addtional_fields/erm/:type should be very 'cheap' and quick to implement and would allow us to specify permissions at the spec level. The controller method could (probably) be reused in other cases and or really thin and simple to maintain. * If we start adding checks for permissions in the controller, for each use case it will become a mess pretty fast. * CRUD endpoints are not 100% suitable for this kind of things, and this is an example of this statement. We should really have some specialized endpoints for dropdowns, with simpler permissions and schemas. But this is out of the scope of this bug. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #18 from Clemens Tubach --- (In reply to Pedro Amorim from comment #16) > (In reply to Katrin Fischer from comment #15) > > What would be needed to get this moving > > Would love to see some comments about my suggestion on comment 14, > specifically from Joubu but thoughts from others are also very much welcome, > of course. Even if that is not the approach to take here, would be nice to > consider / justify why not. We think the proposal is good and pragmatic. The resource_type could be used to check whether there is a module permission or a subpermission for the module that belongs to the resource_type. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446
--- Comment #17 from Michaela Sieber ---
We startet to use the ERM module in our production system and this is our
workaround for protecting the system administration page for additional fields:
Snippet for IntranetUserJS
// Hide the additional field view for everyone that is not a superlibrarian
(function() {
// check if on additional fields page
if (document.querySelector('body#ser_add_fields')) {
// check if logged in use is superlibrarian
const isSuperLibrarian =
document.querySelector('span.loggedinusername.is_superlibrarian');
// remove all content in the additional field main view
if (!isSuperLibrarian){
document.querySelector('main').innerHTML='';
}
}
})();
--
You are receiving this mail because:
You are watching all bug changes.
___
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #16 from Pedro Amorim --- (In reply to Katrin Fischer from comment #15) > What would be needed to get this moving Would love to see some comments about my suggestion on comment 14, specifically from Joubu but thoughts from others are also very much welcome, of course. Even if that is not the approach to take here, would be nice to consider / justify why not. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Bug 38446 depends on bug 35287, which changed state. Bug 35287 Summary: Add additional fields support to ERM licenses https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35287 What|Removed |Added Status|Needs documenting |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #15 from Katrin Fischer --- What would be needed to get this moving At the moment we do need to give staff users admin permissions which actually gives them access to all of this data, because there is no other way. Would love to see this resolved. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Michaela Sieber changed: What|Removed |Added See Also||https://bugs.koha-community ||.org/bugzilla3/show_bug.cgi ||?id=40684 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #14 from Pedro Amorim --- (In reply to Jonathan Druart from comment #7) > I don't this this is correct. > > We need a separate route to retrieve the ERM's attributes. Or should it be > in /erm/config? > > IMO we don't want to give access to the attributes of other modules if the > permissions is not set. I sort of agree with this but having to have a specific endpoint for every new resource that adopts extended attributes would be a bit overkill? I also see where Matt's suggestion could work, but as I understand it, that would mean that we'd have to have all possible adopting resources as OR permissions and someone with ERM permissions only would potentially be granted access to, say, serials subscriptions. - How about just put 'catalogue' : 1 as permission, and handle the permissions logic in the REST controller itself? That seems to be what paths/jobs.yaml + REST/V1/BackgroundJobs.pm is doing. The get endpoint has permission of catalogue: "1" but then the REST/V1/BackgroundJobs.pm controller checks for manage_background_jobs permission. We could have something similar here, and check for a specific permission depending on the resource_type being queried. Could even just use the existing resource_to_table and extend it to also have each respective permission mapped. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Michaela Sieber changed: What|Removed |Added Blocks||38201 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38201 [Bug 38201] VueJS architecture rethink -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Marcel de Rooy changed: What|Removed |Added CC||[email protected] Status|Signed Off |In Discussion --- Comment #13 from Marcel de Rooy --- "Allow this until we solve the issue" sounds like something we did before? But are most of these issues solved yet? :) Giving access to the area of extended attribs only because you have ERM access, sounds like bad design. Shouldnt you add the extended attribs perms for those ERM users in a dbrev or so (release warning)? Are the extended attribs perms not granular enough? Should we add a level there? Discussion Time -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #10 from Katrin Fischer --- Looking deeper into this I understand Joubu's concern about the API a bit better, but this seems to only involve seeing the configuration of additional fields in other modules, not the data itself? I believe the data would be the sensitive bit. If so it seems forgiveable for a fix. This has been reported in November... and is a real bad blocker. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Katrin Fischer changed: What|Removed |Added Status|Failed QA |Signed Off --- Comment #12 from Katrin Fischer --- If I understand correctly we'd need a way to filter the API for the different modules, so: - only expose ERM related additional field configuration if user has erm permissions - only expose acq related additional field configuration if user has acq permission Etc. For me it's hard to tell how we can do that with the API, but it seems a new concept that might need some more thinking? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Katrin Fischer changed: What|Removed |Added Attachment #176471|0 |1 is obsolete|| --- Comment #11 from Katrin Fischer --- Created attachment 183133 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=183133&action=edit Bug 38446: Allow those with ERM permissions to access extended attributes Test plan: 1. Log in as superlibrarian 2. Activate ERM 3. Add a new additional field for Licences under cgi-bin/koha/admin/additional-fields.pl 4. Go to ERM Module 5. Add a Licence and use the new additional field 6. Search for a user, for example borrowernumber=17 7. Give permissions for erm , acquisition and catalogue (staff access) 8. Log in with this account 9. Go to ERM Module 10. Try to edit the licence with the additional field you have created in step 5 11. Apply patch and run yarn api:bundle and then restart_all 12. Repeat steps 9 and 10 13. The permissions error should vanish Signed-off-by: William Lavoie Signed-off-by: Katrin Fischer -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Katrin Fischer changed: What|Removed |Added Severity|normal |major --- Comment #9 from Katrin Fischer --- I have updated the severity as this prohibits libraries from using the additional fields in the ERM module in stable releases down to 24.11 at least. I believe we should go for the simple fix for backporting and work out a better solution for the future on a new bug. I'll test the attached patch and sign-off if it works. For the permissions: manage_additional_fields Manage additional fields (requires the corresponding permission, one of edit_subscription, order_manage, edit_invoices, or remaining_permissions under updatecharges This permission is a sub permission to parameters and should only be applied when it's about changing the additional fields configuration, not for using them in the context of the modules they appear in (storing, adding, deleting data). I believe this might also re-appear as an issue when we are looking into additional fields for the vendors and every other place that is Vue/API based? Thinking of: Bug 38262 - Add additional fields to Vendors -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Michaela Sieber changed: What|Removed |Added CC||[email protected], ||[email protected] -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Mathieu Saby changed: What|Removed |Added CC||[email protected] --- Comment #8 from Mathieu Saby --- I'm not sure I understand your exchanges. Why would you need a "manage" permission to view something in Koha (and not to manage it)? -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Jonathan Druart changed: What|Removed |Added Status|Signed Off |Failed QA --- Comment #7 from Jonathan Druart --- I don't this this is correct. We need a separate route to retrieve the ERM's attributes. Or should it be in /erm/config? IMO we don't want to give access to the attributes of other modules if the permissions is not set. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 William Lavoie changed: What|Removed |Added Attachment #174758|0 |1 is obsolete|| --- Comment #6 from William Lavoie --- Created attachment 176471 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=176471&action=edit Bug 38446: Allow those with ERM permissions to access extended attributes Test plan: 1. Log in as superlibrarian 2. Activate ERM 3. Add a new additional field for Licences under cgi-bin/koha/admin/additional-fields.pl 4. Go to ERM Module 5. Add a Licence and use the new additional field 6. Search for a user, for example borrowernumber=17 7. Give permissions for erm , acquisition and catalogue (staff access) 8. Log in with this account 9. Go to ERM Module 10. Try to edit the licence with the additional field you have created in step 5 11. Apply patch and run yarn api:bundle and then restart_all 12. Repeat steps 9 and 10 13. The permissions error should vanish Signed-off-by: William Lavoie -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 William Lavoie changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added Blocks|38010 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38010 [Bug 38010] Migrate vendors to Vue -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added Blocks||38262 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38262 [Bug 38262] Add additional fields to Vendors -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added Blocks||38010 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38010 [Bug 38010] Migrate vendors to Vue -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #5 from Matt Blenkinsop --- Patch for discussion based on what I was planning for the vendors migration. If this is too granular then I think we should go with Pedro's suggestion and open up extended attributes more widely -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Matt Blenkinsop changed: What|Removed |Added Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #4 from Matt Blenkinsop --- Created attachment 174758 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=174758&action=edit Bug 38446: Allow those with ERM permissions to access extended attributes Test plan: 1. Log in as superlibrarian 2. Activate ERM 3. Add a new additional field for Licences under cgi-bin/koha/admin/additional-fields.pl 4. Go to ERM Module 5. Add a Licence and use the new additional field 6. Search for a user, for example borrowernumber=17 7. Give permissions for erm , acquisition and catalogue (staff access) 8. Log in with this account 9. Go to ERM Module 10. Try to edit the licence with the additional field you have created in step 5 11. Apply patch and run yarn api:bundle and then restart_all 12. Repeat steps 9 and 10 13. The permissions error should vanish -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #3 from Matt Blenkinsop --- That way you should be able to access the ERM pages without needing to be given access to any of the authorised values pages -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 --- Comment #2 from Matt Blenkinsop --- If we want to be more granular with it we could make it an OR check on the permissions and just add the ERM permission. I think something like the below would work: x-koha-authorization: permissions: - parameters: - manage_additional_fields - erm: 1 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Pedro Amorim changed: What|Removed |Added CC||[email protected] --- Comment #1 from Pedro Amorim --- Adding Tomas here to the discussion. In extended_attributes_types, we have: x-koha-authorization: permissions: parameters: manage_additional_fields But staff members editing any of the additional fields supported resources e.g. ERM licenses may not have 'manage_additional_fields'. For Vue additional fields page (such as ERM licenses), this API endpoint needs to be retrieved in order to show configured additional fields on the form. To fix this for posterity, should we just have 'catalogue: "1"' for this endpoint? The UI page to manage additional fields should still be checking for manage_additional_fields anyway. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 38446] Permission error for additional fields
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38446 Michaela Sieber changed: What|Removed |Added Assignee|[email protected] |matt.blenkinsop@ptfs-europe ||.com Depends on||35287 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35287 [Bug 35287] Add additional fields support to ERM licenses -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
