From b17e3b14d28839739764ce4c29bd3bec01f0fc3c Mon Sep 17 00:00:00 2001 From: Thomas Berezansky Date: Thu, 16 Jun 2011 17:03:36 -0400 Subject: [PATCH] Delete protection - Ensure you can touch group Same protection editing a user seems to get: If you don't have the right group_application.user perm, reject Signed-off-by: Thomas Berezansky Signed-off-by: Dan Wells --- Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm index 5e704b44c8..1f0fa939a3 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Actor.pm @@ -3515,7 +3515,13 @@ sub really_delete_user { my $e = new_editor(authtoken => $auth, xact => 1); return $e->die_event unless $e->checkauth; my $user = $e->retrieve_actor_user($user_id) or return $e->die_event; + # No deleting yourself - UI is supposed to stop you first, though. + return $e->die_event unless $e->requestor->id != $user->id; return $e->die_event unless $e->allowed('DELETE_USER', $user->home_ou); + # Check if you are allowed to mess with this patron permission group at all + my $session = OpenSRF::AppSession->create( "open-ils.storage" ); + my $evt = group_perm_failed($session, $e->requestor, $user); + return $e->die_event($evt) if $evt; my $stat = $e->json_query( {from => ['actor.usr_delete', $user_id, $dest_user_id]})->[0] or return $e->die_event; -- 2.11.0