From e524c68ffba4cc7fb342b280409c810cec4b259f Mon Sep 17 00:00:00 2001
From: Jason Stephenson <jstephenson@mvlc.org>
Date: Mon, 11 Jun 2012 16:12:54 -0400
Subject: [PATCH] Security fix for Launchpad Bug 1003052.

Bug reported by James Fournie:

Revoking the UPDATE_MARC permission doesn't actually seem to prevent a
user from editing a record. Our use case is that we would like a user
to create new records but not edit existing MARC records.

Changing CREATE_MARC to UPDATE_MARC in OpenILS::Application::Cat's
biblio_record_replace_marc() method seems to fix the problem.

Signed-off-by: Jason Stephenson <jstephenson@mvlc.org>
Signed-off-by: Lebbeous Fogle-Weekley <lebbeous@esilibrary.com>
---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
index a442aff233..b9b79bee32 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm
@@ -159,7 +159,7 @@ sub biblio_record_replace_marc  {
     my( $self, $conn, $auth, $recid, $newxml, $source, $oargs ) = @_;
     my $e = new_editor(authtoken=>$auth, xact=>1);
     return $e->die_event unless $e->checkauth;
-    return $e->die_event unless $e->allowed('CREATE_MARC', $e->requestor->ws_ou);
+    return $e->die_event unless $e->allowed('UPDATE_MARC', $e->requestor->ws_ou);
 
     my $fix_tcn = $self->api_name =~ /replace/o;
     if($self->api_name =~ /override/o) {
-- 
2.11.0