This bug is a followup to https://bugs.launchpad.net/evergreen/+bug/1206589. The reason for opening this bug is that the fix to the previous bug is incomplete. That fix prevented unauthenticated, third party access to the library settings history, but it did not address the underlying issue that made that access possible. The history feature still has the bugs of not following the permission model used by the org. unit settings and of exposing data for locations outside of the current user's organizational unit ancestor hierarchy. At this point, however, the data is only exposed to accounts with the STAFF_LOGIN permission.
To address these problems, the following changes need to be made:
* The open-ils.pcrud controller, along with the associated pcrud permissions, should be removed from the coustl (config.org_unit_setting_type_log) object definition in the IDL.
* OpenSRF calls need to be added to open-ils.actor to retrieve settings history. These calls will need to be given the user's authtoken as well as the setting name and possibly the desired organizational unit to look up. The latter can be derived from the user's authtoken and current working location, and so may be deemed optional or unnecessary. These calls should only expose the settings to the user that are in that user's org. unit hierarchy as defined by the appropriate database or other functions.
* The library settings editor interface in the staff client then requires modification to use the new OpenSRF calls and to stop using the openils.PermaCRUD JavaScript module.
I am removing the won't fix because I think this is still an issue -- as of 3.2 I am still able to see Settings History for OUs outside of my assigned OU hierarchy.