No permission check for new volume/item creation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
New
|
Undecided
|
Unassigned |
Bug Description
We have recently upgraded from Evergreen 3.1 to 3.3 and implemented a complete revamp of our permission structure to include a strict requirement that anyone who creates/deletes items or bibs must pass cataloging assessments. However, we have found that staff can create new volume/call# and item records with only the permissions granted to Circulator (and inherited from Evergreen Staff): https:/
Those permissions definitely do not include CREATE_VOLUME or CREATE_COPY, which should be the permissions checked before Evergreen permits a user to create a new item or call# record, right? I don't see any other permissions that should supersede those, but am I missing something?
Here is the workflow I followed:
1. Log into web staff client with staff login account assigned to Circulator
2. Go to Cataloging>Retrieve bib Record by TCN and enter 11173473
3. Click on Add Holdings
4. Add barcode, change a few fields
5. Click Save & Exit (also able to click on Store Selected and Save & Exit from Completed Items tab)
I added new item, barcode testcirc1 here in dev database (Evergreen 3.1) for TCN
11173473: http://
I added new item, barcode testcirc here in next database (Evergreen 3.3) for TCN
11173473: https:/
This is an extremely worrisome issue for us, as we do not want staff to be able to create item or call number records without passing our cataloging assessments and being assigned to the cataloging permission groups with CREATE_VOLUME and CREATE_COPY permissions.
tags: | removed: cataloging |
description: | updated |
description: | updated |
description: | updated |
tags: | added: cataloging |
April,
The workflow you mentioned seems to be using this API function:
open-ils. cat.asset. volume. fleshed. batch.update. override
It seems like that ends up using the CStoreEditor autogenerated function "create_ asset_call_ number" . CStoreEditor does some permissions checking, but I'm not able to dig deep enough into it right now. Hopefully this puts someone else on the right path.
Also, are you testing with a user that has either of the UPDATE_ VOLUME/ UPDATE_ COPY permissions?