Angular Catalog: "Edit" link displayed for all users, ignores UPDATE_COPY perm

Bug #1920815 reported by Dan Guarracino
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
High
Unassigned
3.6
Fix Released
High
Unassigned

Bug Description

Affects Evergreen 3.6 (observed in 3.6.1 and 3.6.2):

The staff catalog in 3.4 and prior releases would only display the "Edit" link next to copies in a record's copy table if the staff user had UPDATE_COPY permissions for the item. Otherwise, only the "View" link would display in the copy table.

The Angular staff catalog displays the "Edit" link next to all of a record's copies whether or not the staff user has permission to edit the item.

The "Traditional" staff catalog in 3.6 still hides the "Edit" link in the copy table appropriately.

Revision history for this message
Elizabeth Thomsen (et-8) wrote :

This is an important issue in our consortium. If a user without permission to edit items clicks on this link, they get to the editing screen where they can add, remove and change information. If they try to save the record, they get a permissions error, so there's no actual harm done, but it's confusing.

Where we have a real problem with this is that users see edit links for items owned by other libraries, which gives the impression that libraries can accidentally or intentionally edit each other's items. People are kind of horrified to discover that the link takes them to that editing screen, and they don't discover that the permission prevents them from actually editing the item because they are too careful to ever try this and click Save.

I'm attaching a screen showing with edit links for items owned by three different libraries, none of which match the library user logged it.

Michele Morgan (mmorgan)
Changed in evergreen:
status: New → Confirmed
importance: Undecided → High
Dan Briem (dbriem)
Changed in evergreen:
assignee: nobody → Dan Briem (dbriem)
Revision history for this message
Dan Briem (dbriem) wrote :
tags: added: pullrequest
Changed in evergreen:
assignee: Dan Briem (dbriem) → nobody
Revision history for this message
Michele Morgan (mmorgan) wrote :

This works great! Tested using staff users with UPDATE_COPY permission at the cons, system, and branch level, and the Edit link only appeared where appropriate.

Also tested using a staff user without UPDATE_COPY permission and the Edit link did not display.

My signoff branch is here:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/mmorgan/lp1920815_signoff

tags: added: signedoff
Changed in evergreen:
milestone: none → 3.6.4
Revision history for this message
Galen Charlton (gmc) wrote :

Pushed all the way down to rel_3_6. Thanks, Dan and Michele!

Changed in evergreen:
milestone: 3.6.4 → 3.7-beta2
status: Confirmed → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.