Angular client permission lookup broken

Bug #1860351 reported by Galen Charlton on 2020-01-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
High
Unassigned
3.3
High
Unassigned

Bug Description

The Angular hasWorkPermHere() routine, when given a list of permissions, is meant to respond with a structure indicating whether or not the user has those permissions at their current workstation (or more precisely, at the OU associated with that workstation).

However, the check is broken and it ends up trying to compare a list of OUs that each permission is available at with the workstation _ID_, not the workstation's owning library. As a consequence, depending on the vagaries of the OU IDs and the workstation IDs, it may incorrectly report whether the user actually has the permission.

Interfaces that currently use this routine include:

- experimental staff catalog conjoined item editor
- experimental staff catalog parts editor
- experimental staff catalog hold placement override check

Evergreen 3.2+

Galen Charlton (gmc) wrote :

Setting importance to High no so much because of the current impact but because of the potential impact.

Changed in evergreen:
milestone: none → 3.4.2
Galen Charlton (gmc) wrote :

Noting that while the bug is in 3.2, nothing in 3.2 actually using the faulty routine.

Galen Charlton (gmc) wrote :

A patch is available here:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=commit;h=6a3206c8b8682d99f98e95c1807a74c1bb1e0d99

This patch is part of an unrelated topic branch, but doesn't depend on anything else in that branch.

tags: added: angular pullrequest
Bill Erickson (berick) on 2020-01-21
Changed in evergreen:
status: New → Confirmed
assignee: nobody → Bill Erickson (berick)
Bill Erickson (berick) wrote :

Issue and fix confirmed. Thanks, Galen. Pushed to 3.3+.

Changed in evergreen:
status: Confirmed → Fix Committed
assignee: Bill Erickson (berick) → nobody
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers