add permissions checks for retrieving POs and invoices via unified_search

author Galen Charlton <gmc@equinoxinitiative.org>

Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)

committer Galen Charlton <gmc@equinoxinitiative.org>

Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)
author Galen Charlton <gmc@equinoxinitiative.org>
Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)
committer Galen Charlton <gmc@equinoxinitiative.org>
Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm

index 062a9d1..f400724 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm
@@ -1033,6 +1033,8 @@ sub retrieve_purchase_order_impl {
      my $po = $e->retrieve_acq_purchase_order($args)
          or return $e->event;
  
+    return $e->event unless $e->allowed(['VIEW_INVOICE', 'CREATE_INVOICE'], $po->ordering_agency);
+
      if($$options{flesh_lineitems}) {
  
          my $flesh_fields = { jub => ['attributes'] };
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm

index 653a664..f94d307 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm
@@ -689,11 +689,8 @@ __PACKAGE__->register_method(
  );
  
  
-sub fetch_invoice_api {
-    my($self, $conn, $auth, $invoice_id, $options) = @_;
-
-    my $e = new_editor(authtoken=>$auth);
-    return $e->event unless $e->checkauth;
+sub fetch_invoice_with_perm_check {
+    my($e, $invoice_id, $options) = @_;
  
      my $invoice = fetch_invoice_impl($e, $invoice_id, $options) or
          return $e->event;
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm

index 53acda4..8619f6f 100644 (file)
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm
@@ -24,7 +24,7 @@ my %RETRIEVERS = (
          "OpenILS::Application::Acq::Financials::retrieve_purchase_order_impl"
      },
      "invoice" => \&{
-        "OpenILS::Application::Acq::Invoice::fetch_invoice_impl"
+        "OpenILS::Application::Acq::Invoice::fetch_invoice_with_perm_check"
      },
  );
author	Galen Charlton <gmc@equinoxinitiative.org>
	Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)
committer	Galen Charlton <gmc@equinoxinitiative.org>
	Thu, 13 Feb 2020 15:48:43 +0000 (10:48 -0500)
Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm		patch \| blob \| history
Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm		patch \| blob \| history
Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm		patch \| blob \| history