© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
As a use case, in our consortium of public and academic institutions, academic patron records are maintained by the institution, public library staff do not have permission to edit or delete them. We use the group application permissions to enforce this. The MERGE_USERS permission should definitely not override the group application permissions.
Another twist on this bug. A logged in staff user is not able to edit their own account, but they are not prevented from deleting their own staff account (even while logged in) by merging it with another account.
We recently had a situation where a logged in staff user merged their own record with a public patron, deleting their own account and attributing all the staff assets to the public patron.
So in addition to the merge function respecting the group application permissions, the logged in user should be prevented from using the merge function on their own account.