Angular Catalog: "Edit" link displayed for all users, ignores UPDATE_COPY perm
Bug #1920815 reported by
Dan Guarracino
This bug affects 5 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.6 |
Fix Released
|
High
|
Unassigned |
Bug Description
Affects Evergreen 3.6 (observed in 3.6.1 and 3.6.2):
The staff catalog in 3.4 and prior releases would only display the "Edit" link next to copies in a record's copy table if the staff user had UPDATE_COPY permissions for the item. Otherwise, only the "View" link would display in the copy table.
The Angular staff catalog displays the "Edit" link next to all of a record's copies whether or not the staff user has permission to edit the item.
The "Traditional" staff catalog in 3.6 still hides the "Edit" link in the copy table appropriately.
Changed in evergreen: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in evergreen: | |
assignee: | nobody → Dan Briem (dbriem) |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This is an important issue in our consortium. If a user without permission to edit items clicks on this link, they get to the editing screen where they can add, remove and change information. If they try to save the record, they get a permissions error, so there's no actual harm done, but it's confusing.
Where we have a real problem with this is that users see edit links for items owned by other libraries, which gives the impression that libraries can accidentally or intentionally edit each other's items. People are kind of horrified to discover that the link takes them to that editing screen, and they don't discover that the permission prevents them from actually editing the item because they are too careful to ever try this and click Save.
I'm attaching a screen showing with edit links for items owned by three different libraries, none of which match the library user logged it.