Security fix for Launchpad Bug 1003052.

Bug reported by James Fournie:

Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.

Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.

Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index a442aff..b9b79be 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -159,7 +159,7 @@ sub biblio_record_replace_marc  {
     my( $self, $conn, $auth, $recid, $newxml, $source, $oargs ) = @_;
     my $e = new_editor(authtoken=>$auth, xact=>1);
     return $e->die_event unless $e->checkauth;
-    return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+    return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
 
     my $fix_tcn = $self->api_name =~ /replace/o;
     if($self->api_name =~ /override/o) {