Evergreen

Inconsistent permissions for org unit closed dates

Bug #1843322 reported by Jeff Davis on 2019-09-09

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Evergreen	New	Low	Unassigned

Bug Description

EG 3.3

In the fieldmapper, the permissions that govern actor.org_unit_closed are:

CREATE_ORG_UNIT_CLOSING
UPDATE_ORG_UNIT_CLOSING
DELETE_ORG_UNIT_CLOSING

These are the permissions that would apply if you were editing closed dates via pcrud. But the staff client doesn't used pcrud for this, it uses specialized API calls (open-ils.actor.org_unit.closed.create, etc.) which check the following oddly-named perms instead:

actor.org_unit.closed_date.create
actor.org_unit.closed_date.update
actor.org_unit.closed_date.delete

You need the latter set of perms in order to modify closed dates in the staff client.

It would make sense to use the same set of perms in both places -- either change the fieldmapper to use
actor.org_unit.closed_date.create, or modify the API to check CREATE_ORG_UNIT_CLOSING.

Tags:

Jeff Davis (jdavis-sitka) on 2019-09-09

Changed in evergreen:
importance:	Undecided → Low
tags:	added: permissions

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.