retain ability for a user to see his/her own payments and open transactions

git-svn-id: svn://svn.open-ils.org/ILS/trunk@19478 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 8164569..ff38f3b 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -1688,7 +1688,9 @@ sub user_transactions {
 
     my $user = $e->retrieve_actor_user($user_id) or return $e->event;
 
-    return $e->event unless $e->allowed('VIEW_USER_TRANSACTIONS', $user->home_ou);
+    return $e->event unless 
+        $e->requestor->id == $user_id or
+        $e->allowed('VIEW_USER_TRANSACTIONS', $user->home_ou);
 
     my $api = $self->api_name();
 
@@ -3516,7 +3518,9 @@ sub user_payments {
     return $e->die_event unless $e->checkauth;
 
     my $user = $e->retrieve_actor_user($user_id) or return $e->event;
-    return $e->event unless $e->allowed('VIEW_USER_TRANSACTIONS', $user->home_ou);
+    return $e->event unless 
+        $e->requestor->id == $user_id or
+        $e->allowed('VIEW_USER_TRANSACTIONS', $user->home_ou);
 
     # Find all payments for all transactions for user $user_id
     my $query = {