From: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Date: Wed, 18 May 2011 21:26:58 +0000 (-0400)
Subject: Add permission checking for updating and deleting volumes.
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=ec45ea05739ec350ed688fcf8e28781e696819f4;p=evergreen%2Fpines.git

Add permission checking for updating and deleting volumes.

This addresses LP #784062 reported by Ben Shum, and I think others?

Creating volumes was already covered.  The ability to delete volumes
without permission would be less often an issue in practice since you
would need permission to delete the volume's copies before you could
delete the volume itself.

Anyway, this should square things.

Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
---

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index 152bb5014f..974390e40b 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -868,6 +868,8 @@ sub fleshed_volume_update {
         if( $vol->isdeleted ) {
 
             $logger->info("vol-update: deleting volume");
+            return $editor->event unless
+                $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
             my $cs = $editor->search_asset_copy(
                 { call_number => $vol->id, deleted => 'f' } );
             return OpenILS::Event->new(
@@ -912,6 +914,9 @@ sub update_volume {
     my $evt;
     my $merge_vol;
 
+    return {evt => $editor->event} unless
+        $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
+
     return {evt => $evt} 
         if ( $evt = OpenILS::Application::Cat::AssetCommon->org_cannot_have_vols($editor, $vol->owning_lib) );