From 4d1cb47c383e1686f4b2a55c1f3e906db1d8c4a4 Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Thu, 13 Feb 2020 16:49:46 -0500
Subject: [PATCH] LP#1863386: link ADMIN_CAROUSEL permission to appropriate OU
 context

This patch restricts prcrud retrieval and modification of templates
to users who have ADMIN_CAROUSEL in the relevant carousel owner OU
rather than requiring global_required.

To test
-------
[1] Apply the patch.
[2] Ensure that a user with ADMIN_CAROUSEL privileges at a depth
    lower than "Consortium" can only view and edit carousel
    definitions at OUs applicable to their working libraries.

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jennifer Weston <jennifer.weston@equinoxinitiative.org>
---
 Open-ILS/examples/fm_IDL.xml | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/Open-ILS/examples/fm_IDL.xml b/Open-ILS/examples/fm_IDL.xml
index b32557a9a5..9d537631fe 100644
--- a/Open-ILS/examples/fm_IDL.xml
+++ b/Open-ILS/examples/fm_IDL.xml
@@ -13020,10 +13020,10 @@ SELECT  usr,
 		</links>
 		<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
 			<actions>
-				<create permission="ADMIN_CAROUSEL" global_required="true"/>
-				<retrieve/>
-				<update permission="ADMIN_CAROUSEL" global_required="true"/>
-				<delete permission="ADMIN_CAROUSEL" global_required="true"/>
+				<create permission="ADMIN_CAROUSEL" context_field="owner"/>
+				<retrieve permission="ADMIN_CAROUSEL" context_field="owner"/>
+				<update permission="ADMIN_CAROUSEL" context_field="owner"/>
+				<delete permission="ADMIN_CAROUSEL" context_field="owner"/>
 			</actions>
 		</permacrud>
 	</class>
@@ -13046,10 +13046,18 @@ SELECT  usr,
 		</links>
 		<permacrud xmlns="http://open-ils.org/spec/opensrf/IDL/permacrud/v1">
 			<actions>
-				<create permission="ADMIN_CAROUSEL" global_required="true"/>
-				<retrieve/>
-				<update permission="ADMIN_CAROUSEL" global_required="true"/>
-				<delete permission="ADMIN_CAROUSEL" global_required="true"/>
+				<create permission="ADMIN_CAROUSEL">
+				    <context link="carousel" field="owner" />
+				</create>
+				<retrieve permission="ADMIN_CAROUSEL">
+				    <context link="carousel" field="owner" />
+				</retrieve>
+				<update permission="ADMIN_CAROUSEL">
+				    <context link="carousel" field="owner" />
+				</update>
+				<delete permission="ADMIN_CAROUSEL">
+				    <context link="carousel" field="owner" />
+				</delete>
 			</actions>
 		</permacrud>
 	</class>
-- 
2.11.0