LP#
1450519: remove unauthorized access to library setting history
This patch changes the current Library Settings editor so that
it doesn't display the setting history for a setting that the user
doesn't have the underlying view permission for. It also removes
the coustl IDL class [config.org_unit_setting_type_log] from PCRUD.
Access to the setting history is now done through a new method,
open-ils.actor.org_unit.settings.history.visible.retrieve, which
accepts an authtoken and a setting name. If the user has the
relevant view permission, setting history entries at all of the
OUs that they have the permission at are returned. If the user
lacks the permission, an empty array is returned. If the setting
has no permission associated with it, all history entries for
the setting are returned. The user must have at least STAFF_LOGIN
to retrieve any entries at all.
To test
-------
[1] As an administrator, make some changes to the values of
a privileged library setting (such as one of the credit card
ones) and an unprivileged one (e.g., lib.info_url).
[2] Log in as a staff user without administration privileges
and go to the library settings editor. Note that while the
current value of privileged settings are not displayed, clicking
on the history link displays the full history of the setting.
[3] Apply the patch and repeat step 2.
[4] This time, history for the privileged setting is not displayed,
while history for an unprivileged setting continues to be
available.
Signed-off-by: Galen Charlton <gmc@equinoxOLI.org>
Signed-off-by: Shula Link <slink@gchrl.org>
Signed-off-by: Jason Stephenson <jason@sigio.com>
projects / Evergreen.git / commit