Permission checkpoint is needed for editing due dates of non-owned items

Bug #1378025 reported by Michele Morgan
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

Evergreen needs a permission check to prevent staff users from editing due dates of items that are not owned by the checkout library.

The current permission that controls editing due dates, CIRC_OVERRIDE_DUE_DATE, allows a staff user with that permission to edit the due date on any item.

For systems with circulation policies based on the owning library of the copy, a permission checkpoint that respects ownership is necessary prevent staff users from overriding the owning library's circulation policy.

This should probably be a separate permission check from CIRC_OVERRIDE_DUE_DATE.

Permissions that control editing due dates should allow the following flexibility in configuring permitted staff user functions:

- A staff user is not permitted to edit any due dates.

- A staff user is permitted to edit due dates only for items owned by the checkout library.

- A staff user is permitted to edit due dates for any item.

Kathy Lussier (klussier)
Changed in evergreen:
status: New → Triaged
importance: Undecided → Wishlist
tags: added: circulation permissions
removed: wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers