From 66185ad790663bb1293ab546556d3e4c69edede3 Mon Sep 17 00:00:00 2001
From: Mike Rylander <mrylander@gmail.com>
Date: Thu, 19 Feb 2015 13:35:29 -0500
Subject: [PATCH] LP#1410369: PCRUD should respect the owning_user field

PCRUD should always respect the object owner, even when a context org is
specified.

[NOTE: use the -b option to diff to see the real change -- much is whitespace.]

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Kathy Lussier <klussier@masslnc.org>
---
 Open-ILS/src/c-apps/oils_sql.c | 137 +++++++++++++++++++++--------------------
 1 file changed, 70 insertions(+), 67 deletions(-)

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index 9cf65912f5..0d3205cd9e 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -1884,15 +1884,15 @@ static int verifyObjectPCRUD ( osrfMethodContext* ctx, osrfHash *class, const js
 	}
 
     // If there is an owning_user attached to the action, we allow that user and users with
-    // object perms on the object. CREATE can't use this. We only do this when there is no
-    // context org for this action, and when we're not ignoring object perms.
+    // object perms on the object. CREATE can't use this. We only do this when we're not
+    // ignoring object perms.
+    char* owning_user_field = osrfHashGet( pcrud, "owning_user" );
     if (
         *method_type != 'c' &&
-        !str_is_true( osrfHashGet(pcrud, "ignore_object_perms") ) && // Always honor
-        context_org_array->size == 0
+        (!str_is_true( osrfHashGet(pcrud, "ignore_object_perms") ) || // Always honor
+        owning_user_field)
     ) {
-        char* owning_user_field = osrfHashGet( pcrud, "owning_user" );
-        if (owning_user_field) {
+        if (owning_user_field) { // see if we can short-cut by comparing the owner to the requestor
 
             if (!param) { // We didn't get it during the context lookup
 			    pkey = osrfHashGet( class, "primarykey" );
@@ -1962,76 +1962,79 @@ static int verifyObjectPCRUD ( osrfMethodContext* ctx, osrfHash *class, const js
                 // Allow the owner to do whatever
                 if (ownerid == userid)
                     OK = 1;
+			}
+		}
+
+        i = 0;
+        while(	!OK &&
+				(perm = osrfStringArrayGetString(permission, i++)) &&
+				!str_is_true( osrfHashGet(pcrud, "ignore_object_perms"))
+		) {
+    		dbi_result result;
+
+			osrfLogDebug(
+				OSRF_LOG_MARK,
+				"Checking object permission [%s] for user %d "
+						"on object %s (class %s)",
+				perm,
+				userid,
+				pkey_value,
+				osrfHashGet( class, "classname" )
+			);
+
+			result = dbi_conn_queryf(
+				writehandle,
+				"SELECT permission.usr_has_object_perm(%d, '%s', '%s', '%s') AS has_perm;",
+				userid,
+				perm,
+				osrfHashGet( class, "classname" ),
+				pkey_value
+			);
+
+			if( result ) {
+				osrfLogDebug(
+					OSRF_LOG_MARK,
+					"Received a result for object permission [%s] "
+							"for user %d on object %s (class %s)",
+					perm,
+					userid,
+					pkey_value,
+					osrfHashGet( class, "classname" )
+				);
 
-                i = 0;
-	            while( !OK && (perm = osrfStringArrayGetString(permission, i++)) ) {
-            		dbi_result result;
+				if( dbi_result_first_row( result )) {
+					jsonObject* return_val = oilsMakeJSONFromResult( result );
+					const char* has_perm = jsonObjectGetString(
+							jsonObjectGetKeyConst( return_val, "has_perm" ));
 
 					osrfLogDebug(
 						OSRF_LOG_MARK,
-						"Checking object permission [%s] for user %d "
-								"on object %s (class %s)",
+						"Status of object permission [%s] for user %d "
+								"on object %s (class %s) is %s",
 						perm,
 						userid,
 						pkey_value,
-						osrfHashGet( class, "classname" )
-					);
-	
-					result = dbi_conn_queryf(
-						writehandle,
-						"SELECT permission.usr_has_object_perm(%d, '%s', '%s', '%s') AS has_perm;",
-						userid,
-						perm,
-						osrfHashGet( class, "classname" ),
-						pkey_value
+						osrfHashGet(class, "classname"),
+						has_perm
 					);
-	
-					if( result ) {
-						osrfLogDebug(
-							OSRF_LOG_MARK,
-							"Received a result for object permission [%s] "
-									"for user %d on object %s (class %s)",
-							perm,
-							userid,
-							pkey_value,
-							osrfHashGet( class, "classname" )
-						);
-	
-						if( dbi_result_first_row( result )) {
-							jsonObject* return_val = oilsMakeJSONFromResult( result );
-							const char* has_perm = jsonObjectGetString(
-									jsonObjectGetKeyConst( return_val, "has_perm" ));
-	
-							osrfLogDebug(
-								OSRF_LOG_MARK,
-								"Status of object permission [%s] for user %d "
-										"on object %s (class %s) is %s",
-								perm,
-								userid,
-								pkey_value,
-								osrfHashGet(class, "classname"),
-								has_perm
-							);
-	
-							if( *has_perm == 't' )
-								OK = 1;
-							jsonObjectFree( return_val );
-						}
-	
-						dbi_result_free( result );
-						if( OK )
-                            break;
-					} else {
-						const char* msg;
-						int errnum = dbi_conn_error( writehandle, &msg );
-						osrfLogWarning( OSRF_LOG_MARK,
-							"Unable to call check object permissions: %d, %s",
-							errnum, msg ? msg : "(No description available)" );
-						if( !oilsIsDBConnected( writehandle ))
-							osrfAppSessionPanic( ctx->session );
-					}
+
+					if( *has_perm == 't' )
+						OK = 1;
+					jsonObjectFree( return_val );
 				}
-            }
+
+				dbi_result_free( result );
+				if( OK )
+                    break;
+			} else {
+				const char* msg;
+				int errnum = dbi_conn_error( writehandle, &msg );
+				osrfLogWarning( OSRF_LOG_MARK,
+					"Unable to call check object permissions: %d, %s",
+					errnum, msg ? msg : "(No description available)" );
+				if( !oilsIsDBConnected( writehandle ))
+					osrfAppSessionPanic( ctx->session );
+			}
         }
     }
 
-- 
2.11.0