Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Restrict search/view of PO, POL, Piece records based upon acquisitions unit

CSP Request Details

None

CSP Rejection Details

None

CSP Approved

None

Description

Overview
Restrict search/view of orders, poLines and pieces based upon the acquisitions unit memberships of the user and the acquisitions unit being assigned to the record.

GET by Id applies to:

  • purchase-orders

  • po-lines

  • pieces

GET by query applies to:

  • purchase-orders

  • po-lines

  • orders

  • order-lines

  • receiving-history

NOTE: since get pieces by query (GET /order-storage/pieces?query=...) isn't exposed via mod-orders and only used internally we don't need to touch it in scope of this story. At some point that endpoint might be deprecated in favor of receiving-history anyway.

Acquisitions units are described on the wiki . The order-specific details which this story covers can also be found there.

Acceptance Criteria:

  • Acquisitions units are used to determine if a user can search for/view the PO/POL/Piece record

  • Unit tests are updated

  • API tests are updated

Environment

None

Potential Workaround

None

Attachments

1

clones

has to be done after

is cloned by

relates to

Checklist

hide

TestRail: Results

Activity

Show:

Craig McNally August 12, 2019 at 5:00 PM

Verified on folio-testing via API tests:

Craig McNally August 12, 2019 at 4:52 PM
Edited

Some high level manual verification on folio-testing:

Created Acquisition Units via UI

Create Orders in UI

Membership: both units

Memberships: unprotectRead unit

Memberships: protectRead unit

Can't see protected orders
Memberships: none

Piotr Kalashuk August 12, 2019 at 11:20 AM

The API tests updates: folio-api-tests PR#275

Piotr Kalashuk August 12, 2019 at 11:19 AM

Part 4. Clean up

Delete orders

Delete acq units

Go to UI by admin and delete all created units

Delete users

Piotr Kalashuk August 12, 2019 at 11:11 AM

Part 3.2. Get order lines by id

Note: to simplify comment only status code for success response is added; status code + response body for failure cases

User 1

Order

Request

Response

1

2

3

4

5

6

7

8

9

10

User 2

Order

Request

Response

1

2

3

4

5

6

7

8

9

10

User 3

Order

Request

Response

1

2

3

4

5

6

7

8

9

10

User 4

Order

Request

Response

1

2

3

4

5

6

7

8

9

10

User 5

Order

Request

Response

1

2

3

4

5

6

7

8

9

10

Done

Details

Assignee

Reporter

Tester Assignee

Priority

Story Points

Sprint

Development Team

Thunderjet

Parent

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created May 23, 2019 at 5:53 PM
Updated November 9, 2021 at 6:01 PM
Resolved August 12, 2019 at 5:00 PM
TestRail: Cases
TestRail: Runs