From 34f0b5daf6dfd6ba288bdf5de9c12397045d9ea3 Mon Sep 17 00:00:00 2001 From: erickson Date: Thu, 7 Sep 2006 16:44:36 +0000 Subject: [PATCH] on user update/create/delete for updates and deleted, we check to see if the requestor has permission to update users in the exising users group (as it exists in the database) for all actions, we check to make sure the requestor has permission to put users into the requested group git-svn-id: svn://svn.open-ils.org/ILS/trunk@6017 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- .../src/perlmods/OpenILS/Application/Actor.pm | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm index 7efc92568c..06128b55d6 100644 --- a/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm +++ b/Open-ILS/src/perlmods/OpenILS/Application/Actor.pm @@ -193,12 +193,17 @@ sub update_patron { my $session = $apputils->start_db_session(); my $err = undef; + $logger->info("Creating new patron...") if $patron->isnew; $logger->info("Updating Patron: " . $patron->id) unless $patron->isnew; my( $user_obj, $evt ) = $U->checkses($user_session); return $evt if $evt; + $evt = check_group_perm($session, $user_obj, $patron); + return $evt if $evt; + + # XXX does this user have permission to add/create users. Granularity? # $new_patron is the patron in progress. $patron is the original patron # passed in with the method. new_patron will change as the components @@ -334,6 +339,53 @@ sub _add_patron { } +sub check_group_perm { + my( $session, $requestor, $patron ) = @_; + my $evt; + + # first let's see if the requestor has + # priveleges to update this user in any way + if( ! $patron->isnew ) { + my $p = $session->request( + 'open-ils.storage.direct.actor.user.retrieve', $patron->id )->gather(1); + $evt = group_perm_failed($session, $requestor, $p); + return $evt if $evt; + } + + # They are allowed to edit this patron.. can they put the + # patron into the group requested? + $evt = group_perm_failed($session, $requestor, $patron); + return $evt if $evt; + return undef; +} + + +sub group_perm_failed { + my( $session, $requestor, $patron ) = @_; + + my $perm; + my $grp; + my $grpid = $patron->profile; + + do { + + $logger->debug("user update looking for group perm for group $grpid"); + $grp = $session->request( + 'open-ils.storage.direct.permission.grp_tree.retrieve', $grpid )->gather(1); + return OpenILS::Event->new('PERMISSION_GRP_TREE_NOT_FOUND') unless $grp; + + } while( !($perm = $grp->application_perm) and ($grpid = $grp->parent) ); + + $logger->info("user update checking perm $perm on user ". + $requestor->id." for update/create on user username=".$patron->usrname); + + my $evt = $U->check_perms($requestor->id, $patron->home_ou, $perm); + return $evt if $evt; + return undef; +} + + + sub _update_patron { my( $session, $patron, $user_obj, $noperm) = @_; -- 2.43.2