Evergreen

Booking - Resource Type drop down should limit choices by owning library

Bug #1873048 reported by Christine Burns
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Evergreen
Fix Released
High
Unassigned
Evergreen 3.5.0
3.4
Fix Released
High
Unassigned
Evergreen 3.4.3

Bug Description

Evergreen 3.4
https://demo.evergreencatalog.com/eg/staff/home

Booking Admin - Resource Type drop down should limit choices by owning library

The Resource type drop down menu includes all Resource types. This list should be limited to the Resource types owned by the Owning library + descendants

This will cause confusion when creating new resources

Using the test server working at BR1 when creating a new resource I expect the resource type drop down to contain the resource types owned by SY1 & BR1. Instead I am seeing all the resource types owned by all the libraries in the consortium. (see screenshots)

In previous versions the resource type drop down did limit choices by owning library

Revision history for this message
Christine Burns (christine-burns) wrote :
Christine Burns (christine-burns)
summary: - Booking Admin - Resource Type drop down should limit choices by owning
- library
+ Booking - Resource Type drop down should limit choices by owning library
Revision history for this message
Christine Burns (christine-burns) wrote :
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Confirmed on a 3.5 beta1 server with the usual test data. The "Kobo Aura ONE ereader" and "VeryPC Treeton Laptop" resource types are owned by BR3, but they show up as available resource types on Create Reservation when scoped to BR1.

It appears that different org units can re-use the same resource type name (e.g. both BR1 and BR3 can have separate "Chromebook" resource types), so the lack of scoping here could definitely cause problems.

Changed in evergreen:
status: New → Confirmed
importance: Undecided → High
milestone: none → 3.5.0
Jeff Davis (jdavis-sitka)
tags: added: regression
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Working branch user/jeffdavis/lp1873048-lp1835127-booking-perms has a commit that adjusts resource type permissions, so that you can't see resource types owned by org units where you don't have the ADMIN_BOOKING_RESOURCE_TYPE perm:

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=commitdiff;h=4d5977d6

This is a partial fix. Ideally, org unit filters would still apply to the resource type dropdown on various screens. But at least this commit will prevent you from seeing all resource types across the consortium if your booking perms are narrower than that.

There's an additional commit in the same branch which adds similar scoping restrictions on booking.reservation and booking.reservation_attr_value_map, per bug 1835127. It would make sense to apply both fixes at the same time.

tags: added: permissions pullrequest
Revision history for this message
Jeff Davis (jdavis-sitka) wrote :

Turns out we need a separate retrieve perm for resource types. There will be cases where resource types are owned at the system level (thus system-level view perm is required) but circ staff only have branch-level perms for managing reservations. See https://bugs.launchpad.net/evergreen/+bug/1835127/comments/2 and https://bugs.launchpad.net/evergreen/+bug/1816475/comments/19. Thanks to Jane Sandberg for pointing this out.

So, rather than reusing ADMIN_BOOKING_RESOURCE_TYPE as a retrieve perm, working branch user/jeffdavis/lp1873048-booking-resource-view-perms adds a new VIEW_BOOKING_RESOURCE_TYPE perm, which can be scoped to the system level or whatever, as needed. A new VIEW_BOOKING_RESOURCE perm is also added for consistency.

https://git.evergreen-ils.org/?p=working/Evergreen.git;a=shortlog;h=refs/heads/user/jeffdavis/lp1873048-booking-resource-view-perms

Revision history for this message
Jane Sandberg (sandbergja) wrote :

Thanks, Jeff! Here is a signoff branch: user/sandbergja/lp1873048-booking-resource-view-perms

tags: added: signedoff
Chris Sharp (chrissharp123)
Changed in evergreen:
assignee: nobody → Chris Sharp (chrissharp123)
Revision history for this message
Chris Sharp (chrissharp123) wrote :

Pushed to 3.4, 3.5, and master. Thanks, Jeff and Jane!

Changed in evergreen:
assignee: Chris Sharp (chrissharp123) → nobody
status: Confirmed → Fix Committed
Evergreen Bug Maintenance (bugmaster)
Changed in evergreen:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.