From dac1ca991348e62a1e3104b04e61b34f5e2d2e77 Mon Sep 17 00:00:00 2001
From: erickson <erickson@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Wed, 23 Jan 2008 18:03:33 +0000
Subject: [PATCH] repaired perm checks in fund retrieval

git-svn-id: svn://svn.open-ils.org/ILS/branches/acq-experiment@8483 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 .../src/perlmods/OpenILS/Application/Acq/Financials.pm  | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Acq/Financials.pm b/Open-ILS/src/perlmods/OpenILS/Application/Acq/Financials.pm
index b4d58d3eb6..160b77018d 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Acq/Financials.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Acq/Financials.pm
@@ -112,7 +112,7 @@ __PACKAGE__->register_method(
 	method => 'retrieve_org_funds',
 	api_name	=> 'open-ils.acq.fund.org.retrieve',
 	signature => {
-        desc => 'Retrieves all the funds associated with an org unit',
+        desc => 'Retrieves all the funds associated with an org unit that the requestor has access to see',
         params => [
             {desc => 'Authentication token', type => 'string'},
             {desc => 'Org Unit ID', type => 'number'},
@@ -132,16 +132,21 @@ sub retrieve_org_funds {
     return $e->event unless $e->checkauth;
     return $e->event unless $e->allowed('VIEW_FUND', $org_id);
 
-    my $search = {owner => $org_id};
+    my $orglist = [$org_id];
     if($$options{full_path}) {
-        my $orglist = org_descendants($org_id);
+        $orglist = org_descendants($org_id);
         push(@$orglist, @{org_ancestors($org_id)});
-        $search = {owner => $orglist};
     } else {
-        $search = {owner => org_descendants($org_id)} if $$options{descendants};
-        $search = {owner => org_ancestors($org_id)} if $$options{ancestors};
+        $orglist = org_descendants($org_id) if $$options{descendants};
+        $orglist = org_ancestors($org_id) if $$options{ancestors};
     }
 
+    my @search_orgs;
+    for my $orgid (@$orglist) {
+        push(@search_orgs, $orgid) if $e->allowed('VIEW_FUND', $orgid);
+    }
+
+    my $search = {owner => \@search_orgs};
     my $funds = $e->search_acq_fund($search) or return $e->event;
     return $funds; 
 }
-- 
2.11.0