Add permission checking for updating and deleting volumes.

This addresses LP #784062 reported by Ben Shum, and I think others?

Creating volumes was already covered.  The ability to delete volumes
without permission would be less often an issue in practice since you
would need permission to delete the volume's copies before you could
delete the volume itself.

Anyway, this should square things.

Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index 152bb50..974390e 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -868,6 +868,8 @@ sub fleshed_volume_update {
         if( $vol->isdeleted ) {
 
             $logger->info("vol-update: deleting volume");
+            return $editor->event unless
+                $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
             my $cs = $editor->search_asset_copy(
                 { call_number => $vol->id, deleted => 'f' } );
             return OpenILS::Event->new(
@@ -912,6 +914,9 @@ sub update_volume {
     my $evt;
     my $merge_vol;
 
+    return {evt => $editor->event} unless
+        $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
+
     return {evt => $evt} 
         if ( $evt = OpenILS::Application::Cat::AssetCommon->org_cannot_have_vols($editor, $vol->owning_lib) );