From bf0a3fd21abdac7a88eed6fa3510d9f3114e26df Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Tue, 7 Aug 2018 14:27:47 -0400 Subject: [PATCH] LP#1718032 Patron merge honors group perms; no self-merge Ensure the staff performing a patron merge have sufficient permission to edit all users involved in the merge process, in addition the MERGE_USERS permssion. Prevent staff from merging their own logged in account. Signed-off-by: Bill Erickson Signed-off-by: Michele Morgan --- .../perlmods/lib/OpenILS/Application/Actor.pm | 12 +++++++++++ .../src/templates/staff/circ/patron/index.tt2 | 1 + .../js/ui/default/staff/circ/patron/app.js | 21 ++++++++++++------- 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm index 503cf35a44..f0bfa2eaec 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm @@ -3378,7 +3378,13 @@ sub merge_users { my $colls = $e->search_money_collections_tracker({usr => $user_ids}, {idlist => 1}); return OpenILS::Event->new('MERGED_USER_IN_COLLECTIONS', payload => $user_ids) if @$colls; + return OpenILS::Event->new('MERGE_SELF_NOT_ALLOWED') + if $master_id == $e->requestor->id; + my $master_user = $e->retrieve_actor_user($master_id) or return $e->die_event; + my $evt = group_perm_failed($e, $e->requestor, $master_user); + return $evt if $evt; + my $del_addrs = ($U->ou_ancestor_setting_value( $master_user->home_ou, 'circ.user_merge.delete_addresses', $e)) ? 't' : 'f'; my $del_cards = ($U->ou_ancestor_setting_value( @@ -3387,7 +3393,13 @@ sub merge_users { $master_user->home_ou, 'circ.user_merge.deactivate_cards', $e)) ? 't' : 'f'; for my $src_id (@$user_ids) { + my $src_user = $e->retrieve_actor_user($src_id) or return $e->die_event; + my $evt = group_perm_failed($e, $e->requestor, $src_user); + return $evt if $evt; + + return OpenILS::Event->new('MERGE_SELF_NOT_ALLOWED') + if $src_id == $e->requestor->id; return $e->die_event unless $e->allowed('MERGE_USERS', $src_user->home_ou); if($src_user->home_ou ne $master_user->home_ou) { diff --git a/Open-ILS/src/templates/staff/circ/patron/index.tt2 b/Open-ILS/src/templates/staff/circ/patron/index.tt2 index 94849f203e..dc9c1b2147 100644 --- a/Open-ILS/src/templates/staff/circ/patron/index.tt2 +++ b/Open-ILS/src/templates/staff/circ/patron/index.tt2 @@ -76,6 +76,7 @@ angular.module('egCoreMod').run(['egStrings', function(s) { s.PAGE_TITLE_PATRON_HOLDS = "[% l('Holds') %]"; s.PAGE_TITLE_PATRON_ITEMS_OUT = "[% l('Items Out') %]"; s.PAGE_TITLE_PATRON_EDIT = "[% l('Edit') %]"; + s.MERGE_SELF_NOT_ALLOWED = "[% l('Logged in account cannot be merged') %]" }]); diff --git a/Open-ILS/web/js/ui/default/staff/circ/patron/app.js b/Open-ILS/web/js/ui/default/staff/circ/patron/app.js index fa8a60e820..d37ed644f0 100644 --- a/Open-ILS/web/js/ui/default/staff/circ/patron/app.js +++ b/Open-ILS/web/js/ui/default/staff/circ/patron/app.js @@ -691,13 +691,20 @@ function($scope, $q, $routeParams, $timeout, $window, $location, egCore , angular.forEach(items, function(i) { patron_ids.push(i.id()); }); - egPatronMerge.do_merge(patron_ids).then(function() { - // ensure that we're not drawing from cached - // resuts, as a successful merge just deleted a - // record - delete patronSvc.lastSearch; - $scope.gridControls.refresh(); - }); + egPatronMerge.do_merge(patron_ids).then( + function() { + // ensure that we're not drawing from cached + // resuts, as a successful merge just deleted a + // record + delete patronSvc.lastSearch; + $scope.gridControls.refresh(); + }, + function(evt) { + if (evt && evt.textcode == 'MERGE_SELF_NOT_ALLOWED') { + ngToast.warning(egCore.strings.MERGE_SELF_NOT_ALLOWED); + } + } + ); } }]) -- 2.43.2