Bug 15289 - borrowers permission allows to see patron's loans

Test plan:

 - log with a user that have "borrowers" permission but not "Remaining circulation permissions"
 - go to a borrower's detail page (who has at least a loan) and click on "show checkouts"
 - check that you see loan(s) and that you can't renew and checkin

 - Do the same with a borrower that have "Remaining circulation permissions"
 - check that you see loan(s) and that you can renew and checkin

Followed test plan. Works as expected.
Signed-off-by: Marc Véron <veron@veron.ch>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

Signed-off-by: Brendan A Gallagher <brendan@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc
index 0c1a7f1..88d4e5c 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/checkouts-table.inc
@@ -41,8 +41,10 @@
                             <input type="checkbox" name="override_limit" id="override_limit" value="1" />
                         [% END %]
                     [% END %]
-                    <button class="btn" id="RenewCheckinChecked"><i class="fa fa-check"></i> Renew or check in selected items</button>
-                    <button class="btn" id="RenewAll"><i class="fa fa-book"></i> Renew all</button>
+                    [% IF ( CAN_user_circulate_circulate_remaining_permissions ) %]
+                        <button class="btn" id="RenewCheckinChecked"><i class="fa fa-check"></i> Renew or check in selected items</button>
+                        <button class="btn" id="RenewAll"><i class="fa fa-book"></i> Renew all</button>
+                    [% END %]
                 </fieldset>
 
                 [% IF ( exports_enabled ) %]

diff --git a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
index a4b6396..bf48595 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
+++ b/koha-tmpl/intranet-tmpl/prog/en/includes/permissions.inc
@@ -4,7 +4,7 @@
     [%- CASE 'circulate' -%]<span>Check out and check in items</span>
     [%- CASE 'catalogue' -%]<span><b>Required for staff login.</b> Staff access, allows viewing of catalogue in staff client.</span>
     [%- CASE 'parameters' -%]<span>Manage Koha system settings (Administration panel)</span>
-    [%- CASE 'borrowers' -%]<span>Add or modify patrons</span>
+    [%- CASE 'borrowers' -%]<span>Add, modify and view patrons information</span>
     [%- CASE 'permissions' -%]<span>Set user permissions</span>
     [%- CASE 'reserveforothers' -%]<span>Place and modify holds for patrons</span>
     [%- CASE 'editcatalogue' -%]<span>Edit catalog (Modify bibliographic/holdings data)</span>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js b/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js
index 9dae4d8..1269013 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js
+++ b/koha-tmpl/intranet-tmpl/prog/en/js/checkouts.js
@@ -295,6 +295,7 @@ $(document).ready(function() {
                 },
                 {
                     "bSortable": false,
+                    "bVisible": AllowCirculate ? true : false,
                     "mDataProp": function ( oObj ) {
                         var content = "";
                         var span_style = "";
@@ -388,6 +389,7 @@ $(document).ready(function() {
                 },
                 {
                     "bSortable": false,
+                    "bVisible": AllowCirculate ? true : false,
                     "mDataProp": function ( oObj ) {
                         if ( oObj.can_renew_error == "on_reserve" ) {
                             return "<a href='/cgi-bin/koha/reserve/request.pl?biblionumber=" + oObj.biblionumber + "'>" + ON_HOLD + "</a>";

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt
index 97e547d..802e35e 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/moremember.tt
@@ -33,6 +33,7 @@ var theme = "[% theme %]";
 var borrowernumber = "[% borrowernumber %]";
 var branchcode = "[% branch %]";
 var exports_enabled = "[% exports_enabled %]";
+var AllowCirculate = [% (CAN_user_circulate_circulate_remaining_permissions)? 1 : 0 %]
 var AllowRenewalLimitOverride = [% (CAN_user_circulate_override_renewals && AllowRenewalLimitOverride)? 1: 0 %];
 var script = "moremember";
 var relatives_borrowernumbers = new Array();

diff --git a/svc/checkouts b/svc/checkouts
index cff2561..93a1c95 100755 (executable)
--- a/svc/checkouts
+++ b/svc/checkouts
@@ -23,7 +23,7 @@ use warnings;
 use CGI;
 use JSON qw(to_json);
 
-use C4::Auth qw(check_cookie_auth);
+use C4::Auth qw(check_cookie_auth haspermission get_session);
 use C4::Biblio qw(GetMarcBiblio GetFrameworkCode GetRecordValue );
 use C4::Circulation qw(GetIssuingCharges CanBookBeRenewed GetRenewCount GetSoonestRenewDate);
 use C4::Koha qw(GetAuthorisedValueByCode);
@@ -35,10 +35,13 @@ use Koha::DateUtils;
 my $input = new CGI;
 
 my ( $auth_status, $sessionID ) =
-  check_cookie_auth( $input->cookie('CGISESSID'),
-    { circulate => 'circulate_remaining_permissions' } );
+  check_cookie_auth( $input->cookie('CGISESSID'));
 
-if ( $auth_status ne "ok" ) {
+my $session   = get_session($sessionID);
+my $userid   = $session->param('id');
+
+unless (haspermission($userid, { circulate => 'circulate_remaining_permissions' })
+    || haspermission($userid, { borrowers => '*' })) {
     exit 0;
 }