LP#1066141: add authtoken check and related permission for age to lost function

The SET_CIRC_LOST permission is now required in order to invoke
the open-ils.circ.circulation.age_to_lost method.

Signed-off-by: Ben Shum <bshum@biblio.org>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Bill Erickson <berick@esilibrary.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
index e07f173..76f1cb0 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ.pm
@@ -259,6 +259,9 @@ __PACKAGE__->register_method(
 
 sub staff_age_to_lost {
     my( $self, $conn, $auth, $args ) = @_;
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+    return $e->event unless $e->allowed('SET_CIRC_LOST', $args->{'circ_lib'});
 
     my $orgs = $U->get_org_descendants($args->{'circ_lib'});
     my $profiles = $U->fetch_permission_group_descendants($args->{'user_profile'});