UPDATE_VOLUME permissions not checking correctly when editing an item from staff screen
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
I've been testing this on 3.6, but I have a suspicion it's been like this for a while.
In the staff client, when using the "View | Edit" links to edit an item, you can change the owning library on a volume even if you do not have permission for that library to do so.
It looks like the permission check is firing off, but it's only checking if you have the permission to change the item at the destination org, not at the org it's sitting at.
For example, you have permissions for UPDATE_VOLUME at BR1 only.
You can edit an item that has volumes at BR5, and change them to be owned to BR1 and the permission check only cares if you have a working location of BR1 in order to do this.
Once that's done, now the user can also edit everything else on the item that they weren't able to before.
I've tested it on two completely different systems.
| Michele Morgan (mmorgan) wrote | #1 |
| Changed in evergreen: | |
| status: | New → Confirmed |
| tags: | added: cataloging permissions |
Marking this Confirmed. I tested on a local 3.6.2 system. This should also be tested in the Angular holdings editor port, bug 1888723.