Add an auth and permission check in CircCommon->unvoid_bill().

Signed-off-by: Jason Stephenson <jason@sigio.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
index 0ba84c9..db0d8ce 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
@@ -108,7 +108,12 @@ sub void_bills_of_type {
 sub unvoid_bill {
     my ($class, $authtoken, $bill, $note) = @_;
 
+    # Get and editor, check for a session, and check that we can void
+    # bills.  (If we can void bills, we can unvoid them, too.)
     my $ed = new_editor (authtoken => $authtoken, xact => 1);
+    return $e->die_event unless $e->checkauth;
+    return $e->die_event unless $e->allowed('VOID_BILLING');
+
     my $voids = $ed->search_money_void_payment(
         {
             billing => $bill->id()