2.0 edit volume not respecting cataloger user permissions
Bug #784062 reported by
Ben Shum
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Evergreen |
Fix Released
|
High
|
Lebbeous Fogle-Weekley | ||
Bug Description
Evergreen version: 2.0.1, 2.0.5, and 2.0.6
OpenSRF version: 1.6.2, 1.6.3, and 2.0.0
PostgreSQL version: 8.4
Linux distribution: Ubuntu Lucid
Tested at various sites and with several versions of Evergreen 2.0. It appears that when going to edit a volume in holdings maintenance, a cataloger user (or staff account) can change volume labels for libraries that they don't have working permissions for. This is despite setting the "update_volume" permission so that it only applies to branch-only depth and the cataloger does not have working locations set.
Jenny from PALS reports that this was not the case when tested with their 1.6.1 server, so it appears that this is only affecting 2.0+ at this time.
Revision history for this message
| Lebbeous Fogle-Weekley (lebbeous) wrote | #1 |
| Changed in evergreen: | |
| assignee: | nobody → Lebbeous Fogle-Weekley (lebbeous) |
| status: | Confirmed → In Progress |
Revision history for this message
| Lebbeous Fogle-Weekley (lebbeous) wrote | #2 |
| Changed in evergreen: | |
| status: | In Progress → Fix Committed |
| Changed in evergreen: | |
| milestone: | none → 2.0.7 |
| Changed in evergreen: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Hey Ben,
I'm not all that certain if I'm using our new git repo in the prescribed way, but the simple patch below should fix the problem in a basic test I conducted. If you can confirm it, (ooh maybe even sign-off!) I'll get it into master, rel_2_0 and rel_2_1.
http://
Thanks