Bug 8230: (follow-up) don't link to basket unless user has appropriate permissions

With this patch, the basket number on the bib details page is linked
to the basket management page only if the staff user has the appropriate
permissions.

To test:

[1] Log in as a user with the acquisition/order_manage permission.
    Bring up a bib record that is attached to an order and verify
    that the basket number is an active link.
[2] Log in as a user that doesn't have the acquisition/order_manage
    permission.  Verify that the basket number displayed on the bib
    details page is not a hyperlink.

Signed-off-by: Galen Charlton <gmc@esilibrary.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
index 294496a..612532b 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/catalogue/detail.tt
@@ -841,7 +841,11 @@ function verify_images() {
       <tbody>
       [% FOR order IN orders %]
           <tr>
-            <td><a href="/cgi-bin/koha/acqui/basket.pl?basketno=[% order.basketno %]">[% order.basketname %]</a></td>
+            <td>[% IF CAN_user_acquisition_order_manage %]
+                <a href="/cgi-bin/koha/acqui/basket.pl?basketno=[% order.basketno %]">[% order.basketname %]</a>
+            [% ELSE %]
+                [% order.basketname %]
+            [% END %]</td>
             <td>[% order.ordernumber %]</td>
             <td><span title="[% order.creationdate %]">[% order.creationdate | $KohaDates%]</span></td>
             <td><span title="[% order.datereceived %]">[% order.datereceived | $KohaDates%]</span></td>