From ee5f74ca9cfff520be8883f82563b68218728756 Mon Sep 17 00:00:00 2001
From: Galen Charlton <gmc@equinoxinitiative.org>
Date: Thu, 13 Feb 2020 10:48:43 -0500
Subject: [PATCH] add permissions checks for retrieving POs and invoices via
 unified_search

Signed-off-by: Galen Charlton <gmc@equinoxinitiative.org>
---
 Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm | 2 ++
 Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm    | 7 ++-----
 Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm     | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm
index 062a9d1e69..f4007248c5 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Financials.pm
@@ -1033,6 +1033,8 @@ sub retrieve_purchase_order_impl {
     my $po = $e->retrieve_acq_purchase_order($args)
         or return $e->event;
 
+    return $e->event unless $e->allowed(['VIEW_INVOICE', 'CREATE_INVOICE'], $po->ordering_agency);
+
     if($$options{flesh_lineitems}) {
 
         my $flesh_fields = { jub => ['attributes'] };
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm
index 653a66411b..f94d3075da 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Invoice.pm
@@ -689,11 +689,8 @@ __PACKAGE__->register_method(
 );
 
 
-sub fetch_invoice_api {
-    my($self, $conn, $auth, $invoice_id, $options) = @_;
-
-    my $e = new_editor(authtoken=>$auth);
-    return $e->event unless $e->checkauth;
+sub fetch_invoice_with_perm_check {
+    my($e, $invoice_id, $options) = @_;
 
     my $invoice = fetch_invoice_impl($e, $invoice_id, $options) or
         return $e->event;
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm
index 53acda4a22..8619f6f13a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/Acq/Search.pm
@@ -24,7 +24,7 @@ my %RETRIEVERS = (
         "OpenILS::Application::Acq::Financials::retrieve_purchase_order_impl"
     },
     "invoice" => \&{
-        "OpenILS::Application::Acq::Invoice::fetch_invoice_impl"
+        "OpenILS::Application::Acq::Invoice::fetch_invoice_with_perm_check"
     },
 );
 
-- 
2.11.0