From e13707658f9cac6f019b093b2cb7d90b2d968fb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johnny=20Marie=CC=81thoz?= <Johnny.Mariethoz@rero.ch>
Date: Tue, 14 Mar 2023 10:20:09 +0100
Subject: [PATCH] permissions: fix patron read permission
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fixes unable to read a patron record for a librarian with a patron
  role.

Co-authored-by: Johnny Mariéthoz <Johnny.Mariethoz@rero.ch>
Co-authored-by: Renaud Michotte <renaud.michotte@gmail.com>
---
 rero_ils/modules/permissions.py               | 11 ++++----
 tests/api/patrons/test_patrons_permissions.py | 28 +++++++++++++++++++
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/rero_ils/modules/permissions.py b/rero_ils/modules/permissions.py
index f65e3f4c32..902735d44e 100644
--- a/rero_ils/modules/permissions.py
+++ b/rero_ils/modules/permissions.py
@@ -430,12 +430,13 @@ def needs(self, record=None, *args, **kwargs):
         if record:
             if self.record_mapper:
                 record = self.record_mapper(record)
-            required_need = None
+            required_need = set()
             if current_patrons:
-                required_need = OwnerNeed(self.patron_callback(record))
-            elif current_librarian:
-                required_need = OrganisationNeed(record.organisation_pid)
-            if required_need and required_need not in g.identity.provides:
+                required_need.add(OwnerNeed(self.patron_callback(record)))
+            if current_librarian:
+                required_need.add(OrganisationNeed(record.organisation_pid))
+            if required_need and not required_need.intersection(
+                    g.identity.provides):
                 return []
 
         return super().needs(record, **kwargs)
diff --git a/tests/api/patrons/test_patrons_permissions.py b/tests/api/patrons/test_patrons_permissions.py
index 3d6ac226c9..5ca602d738 100644
--- a/tests/api/patrons/test_patrons_permissions.py
+++ b/tests/api/patrons/test_patrons_permissions.py
@@ -142,3 +142,31 @@ def test_patrons_permissions(
     librarian_martigny['roles'] = original_roles
     librarian_martigny.update(librarian_martigny, dbcommit=True, reindex=True)
     flush_index(PatronsSearch.Meta.index)
+
+    original_roles = patron_martigny.get('roles', [])
+
+    # librarian + patron roles
+    patron_martigny['roles'] = [UserRole.FULL_PERMISSIONS, UserRole.PATRON]
+    patron_martigny['libraries'] = librarian_martigny['libraries']
+    patron_martigny.update(patron_martigny, dbcommit=True, reindex=True)
+    flush_index(PatronsSearch.Meta.index)
+
+    login_user(patron_martigny.user)  # to refresh identity !
+    check_permission(PatronPermissionPolicy, {'search': True}, {})
+    check_permission(PatronPermissionPolicy, {
+        'read': True,
+        'create': True,
+        'update': True,
+        'delete': True
+    }, patron_martigny)
+    check_permission(PatronPermissionPolicy, {
+        'read': True,
+        'create': True,
+        'update': True,
+        'delete': True
+    }, patron2_martigny)
+
+    patron_martigny['roles'] = original_roles
+    del patron_martigny['libraries']
+    patron_martigny.update(patron_martigny, dbcommit=True, reindex=True)
+    flush_index(PatronsSearch.Meta.index)