From 9ee51d00965663034ca8b9673d4447d5fd8b2e7e Mon Sep 17 00:00:00 2001
From: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
Date: Wed, 18 May 2011 17:26:58 -0400
Subject: [PATCH] Add permission checking for updating and deleting volumes.

This addresses LP #784062 reported by Ben Shum, and I think others?

Creating volumes was already covered.  The ability to delete volumes
without permission would be less often an issue in practice since you
would need permission to delete the volume's copies before you could
delete the volume itself.

Anyway, this should square things.

Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
---
 Open-ILS/src/perlmods/OpenILS/Application/Cat.pm | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
index 4d688124ba..4a9c12e7f2 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Cat.pm
@@ -751,6 +751,8 @@ sub fleshed_volume_update {
 		if( $vol->isdeleted ) {
 
 			$logger->info("vol-update: deleting volume");
+			return $editor->event unless
+				$editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
 			my $cs = $editor->search_asset_copy(
 				{ call_number => $vol->id, deleted => 'f' } );
 			return OpenILS::Event->new(
@@ -795,6 +797,9 @@ sub update_volume {
 	my $evt;
     my $merge_vol;
 
+    return {evt => $editor->event} unless
+        $editor->allowed('UPDATE_VOLUME', $vol->owning_lib);
+
 	return {evt => $evt} 
         if ( $evt = OpenILS::Application::Cat::AssetCommon->org_cannot_have_vols($editor, $vol->owning_lib) );
 
-- 
2.11.0