Return of the "user can edit themselves" bug

Bug #1842940 reported by Mike Rylander on 2019-09-05
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Evergreen
High
Jane Sandberg
3.2
High
Unassigned
3.3
High
Unassigned

Bug Description

Evergreen version: 3.2+ (all web staff clients, AFAICT)

Back in bug #1446860 we made it so that staff could not edit their own accounts in the Dojo user registration/editing UI. The web staff client, however, does not protect against that -- nor against editing users in profile groups for which the editing user lacks the appropriate group application permission.

A branch is forthcoming to address these issues.

Bill Erickson (berick) wrote :

Thanks, Mike.

As a heads up, arrow functions in AngJS break the test runner.

e.g. .filter(p => $scope.patron.profile.id() == p.id()).

Mike Rylander (mrylander) wrote :

Bah, thanks for the head's up, Bill. I'll force-push a function-y version in a moment.

That's what I get for trying to be like the cool kids...

Mike Rylander (mrylander) wrote :

Existing branch force-updated.

Changed in evergreen:
assignee: Mike Rylander (mrylander) → nobody
Jeff Davis (jdavis-sitka) wrote :

In some cases you want staff to be able to edit their own accounts, e.g. a small library with a single local admin who needs to update the expiry date on their account. This ability should be governed by a permission, like so (building on Mike's branch):

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jeffdavis/lp1842940-user-edit-restrictions-perm

Mike Rylander (mrylander) wrote :

Thanks, Jeff. I picked your commit, signed off on it, and squashed a minor change into it to fetch the permission for testing. That's back on my branch at:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/miker/lp-1842940-user-edit-restrictions

Jane Sandberg (sandbej) wrote :

One small request: could you add a small message to the tt2 form that tells users that they have insufficient permissions? We had some complaints about the Dojo interface behavior not being very obvious.

Galen Charlton (gmc) on 2019-09-11
Changed in evergreen:
status: New → Fix Committed
status: Fix Committed → Confirmed
importance: Undecided → High
milestone: 3.4-beta1 → 3.4-beta2
Mike Rylander (mrylander) wrote :

Hi Jane,

I've attempted to implement your request in a new commit on the branch linked in comment #6. I'll run it through its paces soon, but I'd appreciate more eyes!

TIA

Jane Sandberg (sandbej) on 2019-09-13
Changed in evergreen:
assignee: nobody → Jane Sandberg (sandbej)
Jane Sandberg (sandbej) wrote :

That's great, Mike! Thanks for adding the messages -- those will really help with troubleshooting.

They look mainly good -- the only issue is that these messages cut off the patron summary on the left side of the screen for me (screenshot attached).

Otherwise, I'm very happy with this, and have a signoff branch here: user/sandbergja/lp-1842940-user-edit-restrictions. I also took the liberty of rebasing that one against master, fixing a small merge conflict, and changing the ID of the new permission.

tags: added: signedoff
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers