Add delete button to Tag edit view#12141
Conversation
for more information, see https://pre-commit.ci
There was a problem hiding this comment.
Pull request overview
This PR updates the Tag edit template to surface an admin-only “Delete Record” action, wiring it to the existing _delete POST behavior that marks a Tag as /type/delete.
Changes:
- Add a “Delete Record” submit button to the tag edit header, shown only when editing an existing tag.
- Gate the delete button behind an admin/super-librarian check in the template.
- Add an
idto the tag edit<form>so the header button can submit it via theform=attribute.
| $if ctx.user and (ctx.user.is_admin() or ctx.user.is_super_librarian()): | ||
| <span class="adminOnly right"> | ||
| <button type="submit" value="$_('Delete Record')" name="_delete" title="$_('Delete Record')" id="delete" | ||
| form="tag-form">$_("Delete Record")</button> | ||
| </span> |
There was a problem hiding this comment.
The delete button’s role gating doesn’t match the server-side authorization in plugins/upstream/addtag.py: tag_edit.has_permission() allows admins/curators (and certain deputies) to POST updates, and the delete path triggers on any POST containing _delete. As a result (1) curators/deputies can still delete a tag by crafting a POST even though the UI hides the button, and (2) is_super_librarian() is checked here but isn’t included in tag_edit.has_permission(), so super-librarians may not be able to reach this page unless they’re also admins/curators. Recommend enforcing the intended delete permission check in the POST handler (not just the template) and aligning the UI condition with the backend’s allowed groups (or vice versa).
Addresses #11878
Adds "Delete" button to Tag edit views. Delete button is only rendered for admins and super-librarians.
Clicking "Delete" will change the affected Tag's type to
/type/delete.Delete functionality was already present in the Tag edit POST handler, so no server-side code changes were needed.
Technical
Testing
Screenshot
Stakeholders