Patron merge ignores group application permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
3.0 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Evergreen 3.0.beta / all versions
Staff with the MERGE_USERS permission can modify and delete accounts via merging even when the lack of a group application permission prevents them from modifying or deleting the same accounts in the patron editor.
Steps to reproduce (in Concerto).
1. Grant the MERGE_USERS permission to the Circulators group.
2. Log in to the browser client with a Circulator login (e.g. br1iwalton)
3. Perform a patron search that returns staff accounts.
4. Confirm attempts to edit a staff account in the patron editor result in a permission error.
5. Back in the patron search interface, attempt to merge the selected staff account with any other account.
6. Confirm the merge succeeds without permission error.
The merge should have been prevented since the Circulator login does not have permission to modify staff accounts.
Since the MERGE_USERS permission is required, I don't see this as a critical security bug. But the behavior is unexpected. I believe there is a use case for not treating the MERGE_USERS permission as a magic override for group application permissions.
Changed in evergreen: | |
status: | New → Confirmed |
Changed in evergreen: | |
assignee: | nobody → Bill Erickson (berick) |
Changed in evergreen: | |
assignee: | nobody → Michele Morgan (mmorgan) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
As a use case, in our consortium of public and academic institutions, academic patron records are maintained by the institution, public library staff do not have permission to edit or delete them. We use the group application permissions to enforce this. The MERGE_USERS permission should definitely not override the group application permissions.
Another twist on this bug. A logged in staff user is not able to edit their own account, but they are not prevented from deleting their own staff account (even while logged in) by merging it with another account.
We recently had a situation where a logged in staff user merged their own record with a public patron, deleting their own account and attributing all the staff assets to the public patron.
So in addition to the merge function respecting the group application permissions, the logged in user should be prevented from using the merge function on their own account.