From: Jeff Davis <jeff.davis@bc.libraries.coop>
Date: Thu, 26 May 2022 21:43:58 +0000 (-0700)
Subject: LP#1966096: check permissions when deleting lineitem
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=refs%2Fheads%2Fuser%2Fjeffdavis%2Flp1966096-delete-lineitem-perm-check;p=working%2FEvergreen.git

LP#1966096: check permissions when deleting lineitem

Hitherto EG has only prevented you from deleting a lineitem if it's
attached to a picklist belonging to someone else (in which case the
deletion would silently fail).  This commit checks whether you have the
CREATE_PURCHASE_ORDER perm if the line item is attached to a purchase
order, or else the CREATE_PICKLIST perm if the line item is attached to
a picklist.

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
---

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
index d3178d6993..42dcbd2f72 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
@@ -280,13 +280,16 @@ sub delete_lineitem {
 
     # XXX check state
 
-    if($li->picklist) {
+    if($li->purchase_order) {
+        my $po = $e->retrieve_acq_purchase_order($li->purchase_order)
+            or return $e->die_event;
+        return OpenILS::Event->new('BAD_PARAMS')
+            unless ($e->allowed('CREATE_PURCHASE_ORDER', $po->ordering_agency, $po));
+    } elsif($li->picklist) {
         my $picklist = $e->retrieve_acq_picklist($li->picklist)
             or return $e->die_event;
-        return OpenILS::Event->new('BAD_PARAMS') 
-            if $picklist->owner != $e->requestor->id;
-    } else {
-        # check PO perms
+        return OpenILS::Event->new('BAD_PARAMS')
+            unless ($e->allowed('CREATE_PICKLIST', $picklist->org_unit, $picklist));
     }
 
     # once a LI is attached to a PO, deleting it