Bug 24157: New permission - delete_baskets

Add a new permission to delete acquisition baskets

Test plan:
- Remove the new permission "delete_basket" for a given patron,
use it to log in into Koha
- Create basket, try to delete it
=> There is no way to delete it
- Add the permission
=> Now you can delete the basket

Sponsored-by: Galway-Mayo Institute of Technology

Signed-off-by: Owen Leonard <oleonard@myacpl.org>
Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/acqui/basket.pl b/acqui/basket.pl
index 8e2929f..4ef5fac 100755 (executable)
--- a/acqui/basket.pl
+++ b/acqui/basket.pl
@@ -91,6 +91,8 @@ our ( $template, $loggedinuser, $cookie, $userflags ) = get_template_and_user(
     }
 );
 
+my $logged_in_patron = Koha::Patrons->find( $loggedinuser );
+
 our $basket = GetBasket($basketno);
 $booksellerid = $basket->{booksellerid} unless $booksellerid;
 my $bookseller = Koha::Acquisition::Booksellers->find( $booksellerid );
@@ -123,6 +125,10 @@ $template->param( skip_confirm_reopen => 1) if $confirm_pref eq '2';
 my @messages;
 
 if ( $op eq 'delete_confirm' ) {
+
+    output_and_exit( $query, $cookie, $template, 'insufficient_permission' )
+      unless $logged_in_patron->has_permission( { acquisition => 'delete_baskets' } );
+
     my $basketno = $query->param('basketno');
     my $delbiblio = $query->param('delbiblio');
     my @orders = GetOrders($basketno);

diff --git a/installer/data/mysql/atomicupdate/bug_24157.perl b/installer/data/mysql/atomicupdate/bug_24157.perl
index 031b7a0..e7908dd 100644 (file)
--- a/installer/data/mysql/atomicupdate/bug_24157.perl
+++ b/installer/data/mysql/atomicupdate/bug_24157.perl
@@ -10,6 +10,10 @@ if( CheckVersion( $DBversion ) ) {
         (11, 'edit_invoices', 'Edit invoices')
     |);
 
+    $dbh->do(q|
+        INSERT IGNORE INTO permissions (module_bit, code, description) VALUES
+        (11, 'delete_baskets', 'Delete baskets')
+    |);
 
     $dbh->do(q|
         INSERT IGNORE INTO permissions (module_bit, code, description) VALUES
@@ -17,5 +21,5 @@ if( CheckVersion( $DBversion ) ) {
     |);
 
     SetVersion( $DBversion );
-    print "Upgrade to $DBversion done (Bug 24157: Add new permissions reopen_closed_invoices, edit_invoices delete_invoices)\n";
+    print "Upgrade to $DBversion done (Bug 24157: Add new permissions reopen_closed_invoices, edit_invoices, delete_invoices, delete_baskets)\n";
 }

diff --git a/installer/data/mysql/userpermissions.sql b/installer/data/mysql/userpermissions.sql
index f9a6cda..636b245 100644 (file)
--- a/installer/data/mysql/userpermissions.sql
+++ b/installer/data/mysql/userpermissions.sql
@@ -68,6 +68,7 @@ INSERT INTO permissions (module_bit, code, description) VALUES
    (11, 'reopen_closed_invoices', 'Reopen closed invoices'),
    (11, 'edit_invoices', 'Edit invoices'),
    (11, 'delete_invoices', 'Delete invoices'),
+   (11, 'delete_baskets', 'Delete baskets'),
    (12, 'suggestions_manage', 'Manage purchase suggestions'),
    (13, 'edit_news', 'Write news for the OPAC and staff interfaces'),
    (13, 'label_creator', 'Create printable labels and barcodes from catalog and patron data'),

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
index 8ebde44..42dd9ca 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
@@ -705,6 +705,11 @@
             Delete invoices
         </span>
         <span class="permissioncode">([% name | html %])</span>
+    [%- CASE 'delete_baskets' -%]
+        <span class="sub_permission delete_baskets_subpermission">
+            Delete baskets
+        </span>
+        <span class="permissioncode">([% name | html %])</span>
   [%# self_check %]
     [%- CASE 'self_checkin_module' -%]
         <span class="sub_permission self_checkin_module_subpermission">

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
index 784838b..a9359d3 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/basket.tt
@@ -59,8 +59,9 @@
                         <div class="btn-group"><a href="#addtoBasket" role="button" class="btn btn-default" data-toggle="modal"><i class="fa fa-plus"></i> Add to basket</a></div>
                     [% END %]
                     <div class="btn-group"><a href="basketheader.pl?booksellerid=[% booksellerid | uri %]&amp;basketno=[% basketno | uri %]&amp;op=add_form" class="btn btn-default" id="basketheadbutton"><i class="fa fa-pencil"></i> Edit basket</a></div>
-                    [%# FIXME This action should not be available for everyone %]
-                    <div class="btn-group"><a href="#deleteBasketModal" role="button" class="btn btn-default" data-toggle="modal" id="delbasketbutton"><i class="fa fa-trash"></i> Delete this basket</a></div>
+                    [% IF CAN_user_acquisition_delete_baskets %]
+                        <div class="btn-group"><a href="#deleteBasketModal" role="button" class="btn btn-default" data-toggle="modal" id="delbasketbutton"><i class="fa fa-trash"></i> Delete this basket</a></div>
+                    [% END %]
                    [% IF ( unclosable ) %]
                     [% ELSIF ( uncertainprices ) %]
                         <div class="btn-group"><a href="/cgi-bin/koha/acqui/uncertainprice.pl?booksellerid=[% booksellerid | uri %]&amp;owner=1" class="btn btn-default" id="uncertpricesbutton"><i class="fa fa-usd"></i> Uncertain prices</a></div>