LP#1863386: link ADMIN_CAROUSEL permission to appropriate OU context

This patch restricts prcrud retrieval and modification of templates
to users who have ADMIN_CAROUSEL in the relevant carousel owner OU
rather than requiring global_required.

To test
-------
[1] Apply the patch.
[2] Ensure that a user with ADMIN_CAROUSEL privileges at a depth
    lower than "Consortium" can only view and edit carousel
    definitions at OUs applicable to their working libraries.

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jennifer Weston <jennifer.weston@equinoxinitiative.org>

diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index b32557a..9d53763 100644 (file)
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -13020,10 +13020,10 @@ SELECT  usr,
                </links>
                <permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
                        <actions>
-                               <create permission="ADMIN_CAROUSEL" global_required="true"/>
-                               <retrieve/>
-                               <update permission="ADMIN_CAROUSEL" global_required="true"/>
-                               <delete permission="ADMIN_CAROUSEL" global_required="true"/>
+                               <create permission="ADMIN_CAROUSEL" context_field="owner"/>
+                               <retrieve permission="ADMIN_CAROUSEL" context_field="owner"/>
+                               <update permission="ADMIN_CAROUSEL" context_field="owner"/>
+                               <delete permission="ADMIN_CAROUSEL" context_field="owner"/>
                        </actions>
                </permacrud>
        </class>
@@ -13046,10 +13046,18 @@ SELECT  usr,
                </links>
                <permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
                        <actions>
-                               <create permission="ADMIN_CAROUSEL" global_required="true"/>
-                               <retrieve/>
-                               <update permission="ADMIN_CAROUSEL" global_required="true"/>
-                               <delete permission="ADMIN_CAROUSEL" global_required="true"/>
+                               <create permission="ADMIN_CAROUSEL">
+                                   <context link="carousel" field="owner" />
+                               </create>
+                               <retrieve permission="ADMIN_CAROUSEL">
+                                   <context link="carousel" field="owner" />
+                               </retrieve>
+                               <update permission="ADMIN_CAROUSEL">
+                                   <context link="carousel" field="owner" />
+                               </update>
+                               <delete permission="ADMIN_CAROUSEL">
+                                   <context link="carousel" field="owner" />
+                               </delete>
                        </actions>
                </permacrud>
        </class>