Staff users can have permission at a more restrictive depth than assigned via a permission group

Bug #1480432 reported by Michele Morgan on 2015-07-31
This bug affects 3 people
Affects Status Importance Assigned to Milestone

Bug Description

With a hierarchical permission group structure, and assigned permission similar to the following:

 |_Basic Circulation - SET_CIRC_CLAIMS_RETURNED at depth 1
    |_Circulation Supervisor - SET_CIRC_CLAIMS_RETURNED at depth 0

A staff user in the Circulation Supervisor permission group can actually be authorized at the more restrictive depth of the parent permission group.

The database function permission.usr_perms() does a SELECT DISTINCT but does not impose an explicit sort on the depth of permissions associated with a user. Consequently, when a user has the same permission from more than one group, the actual selected row can be less permissive than intended.

Michele Morgan (mmorgan) on 2015-07-31
Changed in evergreen:
assignee: nobody → Michele Morgan (mmorgan)
Michele Morgan (mmorgan) wrote :

A working branch to change the sort of retrieved permissions in the function permission.usr_perms() is at:;a=shortlog;h=refs/heads/user/mmorgan/LP_1480432_staff_user_permission_depth_fix

Changed in evergreen:
assignee: Michele Morgan (mmorgan) → nobody
tags: added: pullrequest
Galen Charlton (gmc) on 2017-05-02
tags: added: needstest
Kathy Lussier (klussier) on 2017-07-19
Changed in evergreen:
milestone: none → 2.12.4
milestone: 2.12.4 → 3.0-alpha
Galen Charlton (gmc) on 2017-08-08
Changed in evergreen:
importance: Undecided → Medium
status: New → Confirmed
Galen Charlton (gmc) wrote :

Merged to master. Thanks, Michele and Cesar!

Changed in evergreen:
status: Confirmed → Fix Committed
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers