From 35f6b5543fd0b1949f7e19a7813600023db6a70a Mon Sep 17 00:00:00 2001
From: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Date: Wed, 18 May 2011 17:26:58 -0400
Subject: [PATCH] Add permission checking for updating and deleting volumes.

This addresses LP #784062 reported by Ben Shum, and I think others?

Creating volumes was already covered.  The ability to delete volumes
without permission would be less often an issue in practice since you
would need permission to delete the volume's copies before you could
delete the volume itself.

Anyway, this should square things.

Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index 152bb5014f..974390e40b 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -868,6 +868,8 @@ sub fleshed_volume_update {
         if( $vol->isdeleted ) {
 
             $logger->info("vol-update: deleting volume");
+            return $editor->event unless
+                $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
             my $cs = $editor->search_asset_copy(
                 { call_number => $vol->id, deleted => 'f' } );
             return OpenILS::Event->new(
@@ -912,6 +914,9 @@ sub update_volume {
     my $evt;
     my $merge_vol;
 
+    return {evt => $editor->event} unless
+        $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
+
     return {evt => $evt} 
         if ( $evt = OpenILS::Application::Cat::AssetCommon->org_cannot_have_vols($editor, $vol->owning_lib) );
 
-- 
2.11.0