If the staff user does not have the group_manage acquisition permission,
do not offer to create a new basket group when closing an order basket.
This avoids a situation where if a staff member without that permission tries
to close a basket and chose the option to create a bakset group, they would
be redirected to the login page.
To test:
[1] Log in as a staff user that does not have
the acquisition/group_manage permission.
[2] Create a new order basket, attach at least one
order line to it, then close it.
[3] Verify that the confirmation page does not
offer to create a basket group with the
same name as the order basket.
[4] Log in as a staff user that has the
acquisition/group_manage permission.
[5] Create and close an order basket.
[6] Verify that this time, the confirmation page
*does* offer to create a basket group.
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
<form action="/cgi-bin/koha/acqui/basket.pl" class="confirm">
<h1>Are you sure you want to close basket [% basketname|html %]?</h1>
+ [% IF ( CAN_user_acquisition_group_manage ) %]
<p>
<label for="createbasketgroup">Attach this basket to a new basket group with the same name</label>
<input type="checkbox" id="createbasketgroup" name="createbasketgroup"/>
</p>
+ [% END %]
<input type="hidden" id="basketno" value="[% basketno %]" name="basketno" />
<input type="hidden" value="close" name="op" />
<input type="hidden" name="booksellerid" value="[% booksellerid %]" />
projects / koha.git / commitdiff