fixed perm checks

git-svn-id: svn://svn.open-ils.org/ILS/trunk@5553 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
index bf98ec1..f9fd2a1 100644 (file)
--- a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm
@@ -2442,7 +2442,9 @@ sub user_retrieve_fleshed_by_id {
        my( $self, $client, $auth, $user_id, $fields ) = @_;
        my $e = new_editor(authtoken => $auth);
        return $e->event unless $e->checkauth;
-       return $e->event unless $e->allowed('VIEW_USER');
+       if( $e->requestor->id != $user_id ) {
+               return $e->event unless $e->allowed('VIEW_USER');
+       }
        $fields ||= [
                "cards",
                "card",

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm b/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
index 8ba60c7..167e295 100644 (file)
--- a/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
@@ -483,7 +483,10 @@ sub retrieve_hold_status {
        return $e->event unless $e->checkauth;
        my $hold = $e->retrieve_action_hold_request($hold_id)
                or return $e->event;
-       return $e->event unless $e->allowed('VIEW_HOLD');
+
+       if( $e->requestor->id != $hold->usr ) {
+               return $e->event unless $e->allowed('VIEW_HOLD');
+       }
 
        return 1 unless $hold->current_copy;
        return 2 unless $hold->capture_time;