List permissions

Created after discussion on mailing list around December 2, 2011 

1 Public lists in OPAC: Currently, a user should be logged in to create a list. I would strongly recommend to keep that restriction. A new preference is added that controls opac users to create public lists or not.
Additionally, I would add the restriction that another opac user cannot change the list type of a public list to private list or change the list permissions when he did not create it (currently possible); the owner can do that only.

2 Three new permissions per list: Add items, Delete own items, Delete other items. This makes the Open list type obsolete.  Delete own means: user X can delete entries from this list that he added himself.  Delete other means: user X can delete entries that were added by another user Y.
 
3 Share private lists with another patron (as described before). Can be turned on/off with a preference.
 
4 Staff client features: add an option under Tools to moderate inappropriate list names for public lists and shared private lists. (A library is free to use it or not.) Add staff list permission: allow to manage lists (virtual shelves). With that permission a staff member can moderate the list names as mentioned and access the staff Lists module. (He can change list type and permissions. He can take ownership of a public list if the owner has been deleted.)
 
5 Deleting a patron should also delete his (unshared) private lists, his shares with private lists of someone else and clear owner on his public lists. [Currently, the virtualshelves table will contain lists (of any type) of deleted borrowers.]
What happens with shared private lists (still used by other patrons)?  If they are still in use, the list owner is cleared only. When a private list without owner is no longer used, it will be deleted. For a staff user with appropriate permissions, it should be made possible to retain ownership of such lists (without owner) in order to edit or delete the list; note that this action is not actually needed for still using the list while the owner has been deleted. 

6 Granular permissions for lists in staff client.
 

ADDITIONAL COMMENTS
If a library does not allow public list creation in OPAC and does not share lists, how should a staff member change list type of a private list? This is not possible. You could say by design. It is the result of combining those two prefs. As a workaround, a staff member could enable public list creation, let the user change list type in opac and reset the pref. Or enable sharing lists, let the user share that list with staff member, accept it and reset the pref.

NEW: While developing and refactoring some code, I removed the increasing lists information from session storage. This simplified the code, makes the sessions much smaller, ensures actual list information and did not make a big difference in performance (depending on factors as session count, number of lists, etc.; could even be faster).

DEVELOPMENT PLAN

Submitted first five patches on February 16, 2012.

Patch 1 includes database revision for updating the database. Includes two new system prefs: OpacAllowSharingPrivateLists and OpacAllowPublicListCreation. Converts open lists to public lists with all options allowed.

Patch 2 includes database changes for new installs. (Koha structure)

Patch 3 includes change to opac preferences file.

Patch 4 includes code revisions for new permissions and refactoring. New permission are not yet shown on screen. This way the current functionality can be tested first, while making the foundation for further development. IMPLEMENTS points 1 and 2 (without making the new permissions visible yet).

Patch 5 includes code changes for lists management when deleting a patron. The public and shared lists are not discarded. Same for entries added by the patron to public lists (or via shares). IMPLEMENTS point 5.

Additionally:

Patch 6 includes changes to VirtualShelves unit test.

Patch 7 is a followup to handle this case: When deleting entries from a list in the staff client without sufficient permissions to do so, you will not see a warning (as you can see in opac when doing the same).

Patch 8 is another followup to resolve the omission of adding the prefs to sysprefs.sql
 

FUTURE PATCHES

Future patches will make the new permissions visible when editing a list in opac or staff, completing point 2. After that, functionality points 3, point 4 and point 6 should be completed.
Another issue to resolve is from point 5: Let staff user take ownership of a list without owner (patron deleted).

Another issue (current bug): Delete shelf 21, the first and only one of the second page. The next screen tells you that you do not have any lists anymore. Note that the code in shelfpage (VirtualShelves/Page.pm) needs some further refactoring! This will address another small issue: If anonymous user clicks Login to create your own lists, the opac-user form does not show any public lists under the Lists button.

Another wish: Sort a list by call number (complication here is that call number is on item level). Show call number in opac and staff when viewing the list.
Another wish: Use XSLT also in the display at staff side (just as on opac side already).

TEST PLAN

Test the first five patches with the following steps:

Login with user 2 in staff. Create user 1 for opac (to be deleted at the end). Enable OpacAllowPublicListCreation.

Login with user 1 in opac. Add a private list V1 via shelves screen. Add a private list V2 via search results, Add to combo. Add some items to both lists. Add a public list P1 via shelves, P2 via search results (Save to another list). Add some items.

Login with user 2 in staff. Goto Lists. Check P1 and P2. Try to rename or delete (should be impossible). Add some items via catalog detail and search results (should NOT be possible). Add private V3 via shelves, private V4 via search results, public P3. Add some items.

Login with user 1 in opac. Try to rename or delete P3 (should not be possible). Add items to P3 (should NOT be possible). Delete list V1.

Login with user 2 in staff. Delete list P3. Try to delete all items from P2 (should not be possible). Delete patron user 1. Check if you still have P1 and P2. Check items on P2.

Login with user 2 in opac. Check again if you still have P1 and P2. Check items on P2.

Login with user 2 in staff. Disable OpacAllowPublicListCreation.

Login with user 2 in opac. Try to add a public list via shelves, search results (AddTo combo: New List) and search results (Save to another list). Should not be possible.

Logout with user 2 in opac. Check lists P1 and P2 (you should see items). Try to delete a list or delete an entry from a list. (Should not be possible.) Try to create a list. Try to add an item to P1 via search results, opac detail (should not be possible).