From: Thomas Berezansky <tsbere@mvlc.org>
Date: Thu, 16 Jun 2011 21:03:36 +0000 (-0400)
Subject: Delete protection - Ensure you can touch group
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=f0f9e63098245e8b591ed1091172f71c172d45d4;p=evergreen%2Ftadl.git

Delete protection - Ensure you can touch group

Same protection editing a user seems to get:
If you don't have the right group_application.user perm, reject

Signed-off-by: Thomas Berezansky <tsbere@mvlc.org>
Signed-off-by: Dan Wells <dbw2@calvin.edu>
---

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
index 9b9bd139f9..094bff09d7 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm
@@ -3491,7 +3491,13 @@ sub really_delete_user {
     my $e = new_editor(authtoken => $auth, xact => 1);
     return $e->die_event unless $e->checkauth;
     my $user = $e->retrieve_actor_user($user_id) or return $e->die_event;
+    # No deleting yourself - UI is supposed to stop you first, though.
+    return $e->die_event unless $e->requestor->id != $user->id;
     return $e->die_event unless $e->allowed('DELETE_USER', $user->home_ou);
+    # Check if you are allowed to mess with this patron permission group at all
+    my $session = OpenSRF::AppSession->create( "open-ils.storage" );
+    my $evt = group_perm_failed($session, $e->requestor, $user);
+    return $e->die_event($evt) if $evt;
     my $stat = $e->json_query(
         {from => ['actor.usr_delete', $user_id, $dest_user_id]})->[0] 
         or return $e->die_event;