Return of the "user can edit themselves" bug

Bug #1842940 reported by Mike Rylander
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Evergreen
High
Unassigned
3.2
High
Unassigned
3.3
High
Unassigned

Bug Description

Evergreen version: 3.2+ (all web staff clients, AFAICT)

Back in bug #1446860 we made it so that staff could not edit their own accounts in the Dojo user registration/editing UI. The web staff client, however, does not protect against that -- nor against editing users in profile groups for which the editing user lacks the appropriate group application permission.

A branch is forthcoming to address these issues.

Revision history for this message
Mike Rylander (mrylander) wrote :
tags: added: pullrequest
Revision history for this message
Bill Erickson (berick) wrote :

Thanks, Mike.

As a heads up, arrow functions in AngJS break the test runner.

e.g. .filter(p => $scope.patron.profile.id() == p.id()).

Revision history for this message
Mike Rylander (mrylander) wrote :

Bah, thanks for the head's up, Bill. I'll force-push a function-y version in a moment.

That's what I get for trying to be like the cool kids...

Revision history for this message
Mike Rylander (mrylander) wrote :

Existing branch force-updated.

Changed in evergreen:
assignee: Mike Rylander (mrylander) → nobody
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

In some cases you want staff to be able to edit their own accounts, e.g. a small library with a single local admin who needs to update the expiry date on their account. This ability should be governed by a permission, like so (building on Mike's branch):

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jeffdavis/lp1842940-user-edit-restrictions-perm

Revision history for this message
Mike Rylander (mrylander) wrote :

Thanks, Jeff. I picked your commit, signed off on it, and squashed a minor change into it to fetch the permission for testing. That's back on my branch at:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/miker/lp-1842940-user-edit-restrictions

Revision history for this message
Jane Sandberg (sandbej) wrote :

One small request: could you add a small message to the tt2 form that tells users that they have insufficient permissions? We had some complaints about the Dojo interface behavior not being very obvious.

Galen Charlton (gmc)
Changed in evergreen:
status: New → Fix Committed
status: Fix Committed → Confirmed
importance: Undecided → High
milestone: 3.4-beta1 → 3.4-beta2
Revision history for this message
Mike Rylander (mrylander) wrote :

Hi Jane,

I've attempted to implement your request in a new commit on the branch linked in comment #6. I'll run it through its paces soon, but I'd appreciate more eyes!

TIA

Jane Sandberg (sandbej)
Changed in evergreen:
assignee: nobody → Jane Sandberg (sandbej)
Revision history for this message
Jane Sandberg (sandbej) wrote :

That's great, Mike! Thanks for adding the messages -- those will really help with troubleshooting.

They look mainly good -- the only issue is that these messages cut off the patron summary on the left side of the screen for me (screenshot attached).

Otherwise, I'm very happy with this, and have a signoff branch here: user/sandbergja/lp-1842940-user-edit-restrictions. I also took the liberty of rebasing that one against master, fixing a small merge conflict, and changing the ID of the new permission.

tags: added: signedoff
Revision history for this message
Mike Rylander (mrylander) wrote :

Thanks, Jane. The best idea I could come up with was to put the alert divs in a container inside the button container and give that alert container css like:

#no-edit-alert-container {
    z-index: 10;
    position: absolute;
    bottom: -200px;
}

That should make them "float" above the content but not extend the height of the sticky bar at the top.

I'm not in a position to push anywhere for testing this morning, unfortunately. Also, UI design is not my ... strongest skill.

Force-pushed a commit for that back to my branch, with your signoffs included.

Revision history for this message
Mike Rylander (mrylander) wrote :

FWIW, the approach I show above is working for me in testing -- no clipped editor pane, and the alerts float nicely below the buttons. If anyone wants to bike-shed the details of the CSS, or the eventual committer would like to forcibly adjust them, I certainly won't be hurt.

Galen Charlton (gmc)
Changed in evergreen:
milestone: 3.4-beta2 → 3.4-rc
Jane Sandberg (sandbej)
Changed in evergreen:
assignee: Jane Sandberg (sandbej) → nobody
status: Confirmed → Fix Committed
Galen Charlton (gmc)
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers