From 3029ae87b2b4492c9079a2692e78133215a34641 Mon Sep 17 00:00:00 2001
From: Jason Stephenson <jason@sigio.com>
Date: Sun, 6 Oct 2013 20:28:14 -0400
Subject: [PATCH] Add an auth and permission check in
 CircCommon->unvoid_bill().

Signed-off-by: Jason Stephenson <jason@sigio.com>
---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
index 0ba84c96ee..db0d8cec1f 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Circ/CircCommon.pm
@@ -108,7 +108,12 @@ sub void_bills_of_type {
 sub unvoid_bill {
     my ($class, $authtoken, $bill, $note) = @_;
 
+    # Get and editor, check for a session, and check that we can void
+    # bills.  (If we can void bills, we can unvoid them, too.)
     my $ed = new_editor (authtoken => $authtoken, xact => 1);
+    return $e->die_event unless $e->checkauth;
+    return $e->die_event unless $e->allowed('VOID_BILLING');
+
     my $voids = $ed->search_money_void_payment(
         {
             billing => $bill->id()
-- 
2.11.0