LP#1873048: add scoped retrieve perms for booking resource types and resources

In the XUL client, when selecting a resource type, the list was limited
by owning library.  But in the web client, the list would show all
resource types across all libraries.  This commit addresses that
regression by adding a new VIEW_BOOKING_RESOURCE_TYPE permission with
context_field in the IDL.  That way, users only see resource types owned
by org units where they have the permission.

While we're at it, a new VIEW_BOOKING_RESOURCE perm is also added for
resources.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
Signed-off-by: Jane Sandberg <sandbej@linnbenton.edu>
Signed-off-by: Chris Sharp <csharp@georgialibraries.org>

diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index 9225c86..4dbbcbb 100644 (file)
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -5012,7 +5012,7 @@ SELECT  usr,
                <permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
                        <actions>
                                <create permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
-                               <retrieve/>
+                               <retrieve permission="VIEW_BOOKING_RESOURCE_TYPE" context_field='owner'/>
                                <update permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
                                <delete permission="ADMIN_BOOKING_RESOURCE_TYPE" context_field='owner'/>
                        </actions>
@@ -5044,7 +5044,7 @@ SELECT  usr,
                <permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
                        <actions>
                                <create permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
-                               <retrieve/>
+                               <retrieve permission="VIEW_BOOKING_RESOURCE" context_field='owner'/>
                                <update permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
                                <delete permission="ADMIN_BOOKING_RESOURCE" context_field='owner'/>
                        </actions>

diff --git a/Open-ILS/src/sql/Pg/950.data.seed-values.sql b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
index ce54ebc..b6959bb 100644 (file)
--- a/Open-ILS/src/sql/Pg/950.data.seed-values.sql
+++ b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
@@ -1935,7 +1935,11 @@ INSERT INTO permission.perm_list ( id, code, description ) VALUES
  ( 619, 'EDIT_SELF_IN_CLIENT', oils_i18n_gettext(619,
     'Allow a user to edit their own account in the staff client', 'ppl', 'description')),
  ( 620, 'UPDATE_ORG_UNIT_SETTING.opac.patron.custom_css', oils_i18n_gettext(620,
-    'Update CSS setting for the OPAC', 'ppl', 'description'))
+    'Update CSS setting for the OPAC', 'ppl', 'description')),
+ ( 621, 'VIEW_BOOKING_RESOURCE_TYPE', oils_i18n_gettext(621,
+    'View booking resource types', 'ppl', 'description')),
+ ( 622, 'VIEW_BOOKING_RESOURCE', oils_i18n_gettext(622,
+    'View booking resources', 'ppl', 'description'))
 ;
 
 
@@ -2369,6 +2373,8 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
                        'UPDATE_PAYMENT_NOTE',
                        'UPDATE_PICKUP_LIB FROM_TRANSIT',
                        'UPDATE_PICKUP_LIB_FROM_HOLDS_SHELF',
+                       'VIEW_BOOKING_RESOURCE',
+                       'VIEW_BOOKING_RESOURCE_TYPE',
                        'VIEW_GROUP_PENALTY_THRESHOLD',
                        'VIEW_STANDING_PENALTY',
                        'VOID_BILLING',
@@ -2529,6 +2535,8 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
                        'UPDATE_PICKUP_LIB_FROM_HOLDS_SHELF',
                        'UPDATE_PICKUP_LIB_FROM_TRANSIT',
                        'UPDATE_USER',
+                       'VIEW_BOOKING_RESOURCE',
+                       'VIEW_BOOKING_RESOURCE_TYPE',
                        'VIEW_REPORT_OUTPUT',
                        'VIEW_STANDING_PENALTY',
                        'VOID_BILLING',

diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql
new file mode 100644 (file)
index 0000000..2bbdce6
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.booking_resource.sql
@@ -0,0 +1,11 @@
+BEGIN;
+SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+
+INSERT INTO permission.perm_list ( id, code, description ) VALUES
+ ( 621, 'VIEW_BOOKING_RESOURCE_TYPE', oils_i18n_gettext(621,
+    'View booking resource types', 'ppl', 'description')),
+ ( 622, 'VIEW_BOOKING_RESOURCE', oils_i18n_gettext(622,
+    'View booking resources', 'ppl', 'description'))
+;
+
+COMMIT;