From: Jason Stephenson <jstephenson@mvlc.org>
Date: Mon, 11 Jun 2012 20:12:54 +0000 (-0400)
Subject: Security fix for Launchpad Bug 1003052.
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=a01a0dd51c932da0c5236002610d905035edb570;p=evergreen%2Ftadl.git

Security fix for Launchpad Bug 1003052.

Bug reported by James Fournie:

Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.

Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.

Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
---

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index e1d2c82ced..d0307a8c54 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -158,7 +158,7 @@ sub biblio_record_replace_marc  {
     my( $self, $conn, $auth, $recid, $newxml, $source ) = @_;
     my $e = new_editor(authtoken=>$auth, xact=>1);
     return $e->die_event unless $e->checkauth;
-    return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+    return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
 
     my $fix_tcn = $self->api_name =~ /replace/o;
     my $override = $self->api_name =~ /override/o;