updating org settings now requires an explicit permission per setting
authorerickson <erickson@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Mon, 29 Sep 2008 15:26:52 +0000 (15:26 +0000)
committererickson <erickson@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Mon, 29 Sep 2008 15:26:52 +0000 (15:26 +0000)
git-svn-id: svn://svn.open-ils.org/ILS/trunk@10725 dcc99617-32d9-48b4-a31d-7c20da2025e4

Open-ILS/src/perlmods/OpenILS/Application/Actor.pm

index 7a7c219..322275d 100644 (file)
@@ -87,12 +87,13 @@ sub set_ou_settings {
 
     my $e = new_editor(authtoken => $auth, xact => 1);
     return $e->die_event unless $e->checkauth;
-    return $e->die_event unless $e->allowed('UPDATE_ORG_SETTING', $org_id);
 
        for my $name (keys %$settings) {
         my $val = $$settings{$name};
         my $set = $e->search_actor_org_unit_setting({org_unit => $org_id, name => $name})->[0];
 
+        return $e->die_event unless $e->allowed("UPDATE_ORG_UNIT_SETTING.$name", $org_id);
+
         if(defined $val) {
             $val = OpenSRF::Utils::JSON->perl2JSON($val);
             if($set) {