check session viability when retrieving resources or reservations, and VIEW_TRANSACTI...

git-svn-id: svn://svn.open-ils.org/ILS/trunk@15100 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm b/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
index 37dd22e..5b43117 100644 (file)
--- a/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
@@ -153,6 +153,9 @@ sub resource_list_by_attrs {
 
     return undef unless ($filters->{type} || $filters->{attribute_values});
 
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+
     my $query = {
         'select'   => { brsrc => [ 'id' ] },
         'from'     => { brsrc => {} },
@@ -284,6 +287,10 @@ sub reservation_list_by_filters {
 
     return undef unless ($filters->{user} || $filters->{resource} || $filters->{type} || $filters->{attribute_values});
 
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+    return $e->event unless $e->allowed('VIEW_TRANSACTION');
+
     my $query = {
         'select'   => { bresv => [ 'id' ] },
         'from'     => { bresv => {} },