From 15cbb518505c4fc387b7729fef486682f11abd4e Mon Sep 17 00:00:00 2001
From: erickson <erickson@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Fri, 5 Jan 2007 19:56:13 +0000
Subject: [PATCH] enforcing perm depth checks on bucket/bucket-item delete

git-svn-id: svn://svn.open-ils.org/ILS/branches/rel_1_0@6727 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 Open-ILS/src/perlmods/OpenILS/Application/Actor/Container.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Actor/Container.pm b/Open-ILS/src/perlmods/OpenILS/Application/Actor/Container.pm
index 334e6b6531..02bb79ecc3 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Actor/Container.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Actor/Container.pm
@@ -232,6 +232,8 @@ __PACKAGE__->register_method(
 		Returns the new bucket object
 	NOTES
 
+# XXX pretty sure no one actually uses this method, 
+# (see open-ils.actor.container.full_delete) -- should probably deprecate it
 sub bucket_delete {
 	my( $self, $client, $authtoken, $class, $bucketid ) = @_;
 	my( $bucket, $evt );
@@ -354,7 +356,9 @@ sub __item_delete {
 	return $evt if $evt;
 
 	if( $bucket->owner ne $e->requestor->id ) {
-		return $e->event unless $e->allowed('DELETE_CONTAINER_ITEM');
+      my $owner = $e->retrieve_actor_user($bucket->owner)
+         or return $e->die_event;
+		return $e->event unless $e->allowed('DELETE_CONTAINER_ITEM', $owner->home_ou);
 	}
 
 	my $stat;
@@ -399,7 +403,9 @@ sub full_delete {
 	return $evt if $evt;
 
 	if( $container->owner ne $e->requestor->id ) {
-		return $e->event unless $e->allowed('DELETE_CONTAINER');
+      my $owner = $e->retrieve_actor_user($container->owner)
+         or return $e->die_event;
+		return $e->event unless $e->allowed('DELETE_CONTAINER', $owner->home_ou);
 	}
 
 	my $items; 
-- 
2.11.0