From 232e4f6ada259f899a218a386c7039340350bd74 Mon Sep 17 00:00:00 2001
From: erickson <erickson@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Mon, 3 May 2010 14:02:50 +0000
Subject: [PATCH] flesh hold notes in the holds retrieve call, being mindful of
 who is requesting the hold and who can see staff/private notes

git-svn-id: svn://svn.open-ils.org/ILS/trunk@16374 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 .../src/perlmods/OpenILS/Application/Circ/Holds.pm | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm b/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
index a8701ca937..a8dbb47dd9 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Circ/Holds.pm
@@ -361,13 +361,19 @@ sub retrieve_holds {
     return $e->event unless $e->checkauth;
     $user_id = $e->requestor->id unless defined $user_id;
 
+    my $notes_filter = {staff => 'f'};
+    my $user = $e->retrieve_actor_user($user_id) or return $e->event;
     unless($user_id == $e->requestor->id) {
-        my $user = $e->retrieve_actor_user($user_id) or return $e->event;
-        unless($e->allowed('VIEW_HOLD', $user->home_ou)) {
+        if($e->allowed('VIEW_HOLD', $user->home_ou)) {
+            $notes_filter = {staff => 't'}
+        } else {
             my $allowed = OpenILS::Application::Actor::Friends->friend_perm_allowed(
                 $e, $user_id, $e->requestor->id, 'hold.view');
             return $e->event unless $allowed;
         }
+    } else {
+        # staff member looking at his/her own holds can see staff and non-staff notes
+        $notes_filter = {} if $e->allowed('VIEW_HOLD', $user->home_ou);
     }
 
     my $holds;
@@ -424,8 +430,9 @@ sub retrieve_holds {
         }
     }
 
-    if( ! $self->api_name =~ /id_list/ ) {
+    if( $self->api_name !~ /id_list/ ) {
         for my $hold ( @$holds ) {
+            $hold->notes($e->search_action_hold_request_note({hold => $hold->id, %$notes_filter}));
             $hold->transit(
                 $e->search_action_hold_transit_copy([
                     {hold => $hold->id},
@@ -2104,6 +2111,15 @@ sub uber_hold_impl {
     if($hold->usr->id ne $e->requestor->id) {
         # A user is allowed to see his/her own holds
 	    $e->allowed('VIEW_HOLD') or return $e->event;
+        $hold->notes( # filter out any non-staff ("private") notes
+            [ grep { !$U->is_true($_->staff) } @{$hold->notes} ] );
+
+    } else {
+        # caller is asking for own hold, but may not have permission to view staff notes
+	    unless($e->allowed('VIEW_HOLD')) {
+            $hold->notes( # filter out any staff notes
+                [ grep { $U->is_true($_->staff) } @{$hold->notes} ] );
+        }
     }
 
 	my $user = $hold->usr;
-- 
2.11.0