From 93d2557f3749f3731e8453951fd222b1fca0564b Mon Sep 17 00:00:00 2001
From: Jeff Davis <jeff.davis@bc.libraries.coop>
Date: Thu, 26 May 2022 14:43:58 -0700
Subject: [PATCH] LP#1966096: check permissions when deleting lineitem

Hitherto EG has only prevented you from deleting a lineitem if it's
attached to a picklist belonging to someone else (in which case the
deletion would silently fail).  This commit checks whether you have the
CREATE_PURCHASE_ORDER perm if the line item is attached to a purchase
order, or else the CREATE_PICKLIST perm if the line item is attached to
a picklist.

Signed-off-by: Jeff Davis <jeff.davis@bc.libraries.coop>
---
 .../src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm    | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
index d3178d6993..42dcbd2f72 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Lineitem.pm
@@ -280,13 +280,16 @@ sub delete_lineitem {
 
     # XXX check state
 
-    if($li->picklist) {
+    if($li->purchase_order) {
+        my $po = $e->retrieve_acq_purchase_order($li->purchase_order)
+            or return $e->die_event;
+        return OpenILS::Event->new('BAD_PARAMS')
+            unless ($e->allowed('CREATE_PURCHASE_ORDER', $po->ordering_agency, $po));
+    } elsif($li->picklist) {
         my $picklist = $e->retrieve_acq_picklist($li->picklist)
             or return $e->die_event;
-        return OpenILS::Event->new('BAD_PARAMS') 
-            if $picklist->owner != $e->requestor->id;
-    } else {
-        # check PO perms
+        return OpenILS::Event->new('BAD_PARAMS')
+            unless ($e->allowed('CREATE_PICKLIST', $picklist->org_unit, $picklist));
     }
 
     # once a LI is attached to a PO, deleting it
-- 
2.11.0