From 65a5769ed954c519676e050400c0aefd38afd474 Mon Sep 17 00:00:00 2001
From: Jeff Davis <jdavis@sitka.bclibraries.ca>
Date: Wed, 6 Jul 2022 16:04:20 -0700
Subject: [PATCH] LP#1979345: restrict access to holds pull list

This commit adds a new VIEW_HOLD_PULL_LIST permission.  In order to view
a library's holds pull list, you need to have the new permission at that
library.

Signed-off-by: Jeff Davis <jdavis@sitka.bclibraries.ca>
---
 .../src/app/staff/share/holds/grid.component.html   |  2 +-
 Open-ILS/src/sql/Pg/950.data.seed-values.sql        |  7 ++++++-
 .../upgrade/XXXX.data.permission.hold_pull_list.sql | 21 +++++++++++++++++++++
 .../Circulation/view_hold_pull_list.adoc            |  6 ++++++
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.hold_pull_list.sql
 create mode 100644 docs/RELEASE_NOTES_NEXT/Circulation/view_hold_pull_list.adoc

diff --git a/Open-ILS/src/eg2/src/app/staff/share/holds/grid.component.html b/Open-ILS/src/eg2/src/app/staff/share/holds/grid.component.html
index b25a4465dd..cf31838e49 100644
--- a/Open-ILS/src/eg2/src/app/staff/share/holds/grid.component.html
+++ b/Open-ILS/src/eg2/src/app/staff/share/holds/grid.component.html
@@ -55,7 +55,7 @@
           <div class="input-group-prepend">
             <div class="input-group-text" i18n>View Pull List For:</div>
           </div>
-          <eg-org-select [initialOrgId]="pullListOrg"
+          <eg-org-select [initialOrgId]="pullListOrg" [limitPerms]="['VIEW_HOLD_PULL_LIST']"
             (onChange)="pullListOrgChanged($event)">
           </eg-org-select>
         </div>
diff --git a/Open-ILS/src/sql/Pg/950.data.seed-values.sql b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
index e662764e0c..f7631b5a77 100644
--- a/Open-ILS/src/sql/Pg/950.data.seed-values.sql
+++ b/Open-ILS/src/sql/Pg/950.data.seed-values.sql
@@ -1972,7 +1972,9 @@ INSERT INTO permission.perm_list ( id, code, description ) VALUES
  ( 638, 'RUN_SIMPLE_REPORTS', oils_i18n_gettext(638,
     'Build and run simple reports', 'ppl', 'description')),
  ( 639, 'ADMIN_OPENATHENS', oils_i18n_gettext(639,
-    'Allow a user to administer OpenAthens authentication service', 'ppl', 'description'))
+    'Allow a user to administer OpenAthens authentication service', 'ppl', 'description')),
+ ( 640, 'VIEW_HOLD_PULL_LIST', oils_i18n_gettext(640,
+    'View hold pull list', 'ppl', 'description'))
 ;
 
 SELECT SETVAL('permission.perm_list_id_seq'::TEXT, 1000);
@@ -2070,6 +2072,7 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
 			'VIEW_CIRCULATIONS',
 			'VIEW_COPY_NOTES',
 			'VIEW_HOLD',
+			'VIEW_HOLD_PULL_LIST',
 			'VIEW_ORG_SETTINGS',
 			'VIEW_TITLE_NOTES',
 			'VIEW_TRANSACTION',
@@ -2136,6 +2139,7 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
 			'VIEW_HOLD',
 			'VIEW_HOLD_NOTIFICATION',
 			'VIEW_HOLD_PERMIT',
+			'VIEW_HOLD_PULL_LIST',
 			'VIEW_PERM_GROUPS',
 			'VIEW_PERMISSION',
 			'VIEW_TITLE_NOTES',
@@ -2868,6 +2872,7 @@ INSERT INTO permission.grp_perm_map (grp, perm, depth, grantable)
 			'VIEW_CIRCS',
 			'VIEW_COPY_CHECKOUT',
 			'VIEW_HOLD',
+			'VIEW_HOLD_PULL_LIST',
 			'VIEW_TITLE_HOLDS',
 			'VIEW_TRANSACTION',
 			'VIEW_USER',
diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.hold_pull_list.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.hold_pull_list.sql
new file mode 100644
index 0000000000..e55e033bfd
--- /dev/null
+++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.permission.hold_pull_list.sql
@@ -0,0 +1,21 @@
+BEGIN;
+
+SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version);
+
+INSERT INTO permission.perm_list (id, code, description) VALUES
+ ( 640, 'VIEW_HOLD_PULL_LIST', oils_i18n_gettext(640,
+    'View hold pull list', 'ppl', 'description'));
+
+-- by default, assign VIEW_HOLD_PULL_LIST to everyone who has VIEW_HOLDS
+INSERT INTO permission.grp_perm_map (perm, grp, depth, grantable)
+    SELECT 640, grp, depth, grantable
+    FROM permission.grp_perm_map
+    WHERE perm = 9;
+
+INSERT INTO permission.usr_perm_map (perm, usr, depth, grantable)
+    SELECT 640, usr, depth, grantable
+    FROM permission.usr_perm_map
+    WHERE perm = 9;
+
+COMMIT;
+
diff --git a/docs/RELEASE_NOTES_NEXT/Circulation/view_hold_pull_list.adoc b/docs/RELEASE_NOTES_NEXT/Circulation/view_hold_pull_list.adoc
new file mode 100644
index 0000000000..c783f64aeb
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/Circulation/view_hold_pull_list.adoc
@@ -0,0 +1,6 @@
+== New Permission for Viewing Holds Pull List ==
+
+Access to the holds pull list is now restricted to users with the
+VIEW_HOLD_PULL_LIST permission.  By default, this new permission is granted to
+all users with the VIEW_HOLDS permission.
+
-- 
2.11.0