From ec45ea05739ec350ed688fcf8e28781e696819f4 Mon Sep 17 00:00:00 2001 From: Lebbeous Fogle-Weekley Date: Wed, 18 May 2011 17:26:58 -0400 Subject: [PATCH] Add permission checking for updating and deleting volumes. This addresses LP #784062 reported by Ben Shum, and I think others? Creating volumes was already covered. The ability to delete volumes without permission would be less often an issue in practice since you would need permission to delete the volume's copies before you could delete the volume itself. Anyway, this should square things. Signed-off-by: Lebbeous Fogle-Weekley --- Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm index 152bb5014f..974390e40b 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Cat.pm @@ -868,6 +868,8 @@ sub fleshed_volume_update { if( $vol->isdeleted ) { $logger->info("vol-update: deleting volume"); + return $editor->event unless + $editor->allowed('UPDATE_VOLUME', $vol->owning_lib); my $cs = $editor->search_asset_copy( { call_number => $vol->id, deleted => 'f' } ); return OpenILS::Event->new( @@ -912,6 +914,9 @@ sub update_volume { my $evt; my $merge_vol; + return {evt => $editor->event} unless + $editor->allowed('UPDATE_VOLUME', $vol->owning_lib); + return {evt => $evt} if ( $evt = OpenILS::Application::Cat::AssetCommon->org_cannot_have_vols($editor, $vol->owning_lib) ); -- 2.11.0