From 6b310dc1a929e78e77de2fd741c6a5a8526a93f9 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Thu, 30 Apr 2020 10:36:44 -0700
Subject: [PATCH] LP#1873048: add scoped retrieve perms for booking resource
 types and resources

In the XUL client, when selecting a resource type, the list was limited
by owning library.  But in the web client, the list would show all
resource types across all libraries.  This commit addresses that
regression by adding a new VIEW_BOOKING_RESOURCE_TYPE permission with
context_field in the IDL.  That way, users only see resource types owned
by org units where they have the permission.

While we're at it, a new VIEW_BOOKING_RESOURCE perm is also added for
resources.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>
---
 Open-ILS/examples/fm_IDL.xml                          |  4 ++--
 Open-ILS/src/sql/Pg/950.data.seed-values.sql          | 10 +++++++++-
 .../upgrade/XXXX.data.permission.booking_resource.sql | 11 +++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql

diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index 9225c86a8b..4dbbcbb123 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -5012,7 +5012,7 @@ SELECT  usr,
 		<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
 			<actions>
 				<create permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
-				<retrieve/>
+				<retrieve permission="VIEW_BOOKING_RESOURCE_TYPE" context_field='owner'/>
 				<update permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
 				<delete permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
 			</actions>
@@ -5044,7 +5044,7 @@ SELECT  usr,
 		<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
 			<actions>
 				<create permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
-				<retrieve/>
+				<retrieve permission="VIEW_BOOKING_RESOURCE" context_field='owner'/>
 				<update permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
 				<delete permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
 			</actions>
diff --git a/Open-ILS/src/sql/Pg/950.data.seed-values.sql b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
index ce54ebcf8a..b6959bb20e 100644
--- a/Open-ILS/src/sql/Pg/950.data.seed-values.sql
+++ b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
@@ -1935,7 +1935,11 @@ INSERT INTO permission.perm_list ( id, code, description ) VALUES
  ( 619, 'EDIT_SELF_IN_CLIENT', oils_i18n_gettext(619,
     'Allow a user to edit their own account in the staff client', 'ppl', 'description')),
  ( 620, 'UPDATE_ORG_UNIT_SETTING.opac.patron.custom_css', oils_i18n_gettext(620,
-    'Update CSS setting for the OPAC', 'ppl', 'description'))
+    'Update CSS setting for the OPAC', 'ppl', 'description')),
+ ( 621, 'VIEW_BOOKING_RESOURCE_TYPE', oils_i18n_gettext(621,
+    'View booking resource types', 'ppl', 'description')),
+ ( 622, 'VIEW_BOOKING_RESOURCE', oils_i18n_gettext(622,
+    'View booking resources', 'ppl', 'description'))
 ;
 
 
@@ -2369,6 +2373,8 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
 			'UPDATE_PAYMENT_NOTE',
 			'UPDATE_PICKUP_LIB FROM_TRANSIT',
 			'UPDATE_PICKUP_LIB_FROM_HOLDS_SHELF',
+			'VIEW_BOOKING_RESOURCE',
+			'VIEW_BOOKING_RESOURCE_TYPE',
 			'VIEW_GROUP_PENALTY_THRESHOLD',
 			'VIEW_STANDING_PENALTY',
 			'VOID_BILLING',
@@ -2529,6 +2535,8 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
 			'UPDATE_PICKUP_LIB_FROM_HOLDS_SHELF',
 			'UPDATE_PICKUP_LIB_FROM_TRANSIT',
 			'UPDATE_USER',
+			'VIEW_BOOKING_RESOURCE',
+			'VIEW_BOOKING_RESOURCE_TYPE',
 			'VIEW_REPORT_OUTPUT',
 			'VIEW_STANDING_PENALTY',
 			'VOID_BILLING',
diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql
new file mode 100644
index 0000000000..2bbdce6c6c
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql
@@ -0,0 +1,11 @@
+BEGIN;
+SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+
+INSERT INTO permission.perm_list ( id, code, description ) VALUES
+ ( 621, 'VIEW_BOOKING_RESOURCE_TYPE', oils_i18n_gettext(621,
+    'View booking resource types', 'ppl', 'description')),
+ ( 622, 'VIEW_BOOKING_RESOURCE', oils_i18n_gettext(622,
+    'View booking resources', 'ppl', 'description'))
+;
+
+COMMIT;
-- 
2.43.2