From 40c5373c1b96fcd5ab606805149b8e5fd0a1bb41 Mon Sep 17 00:00:00 2001
From: miker <miker@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Date: Tue, 8 Dec 2009 16:29:53 +0000
Subject: [PATCH] check session viability when retrieving resources or
 reservations, and VIEW_TRANSACTION permission on reservations

git-svn-id: svn://svn.open-ils.org/ILS/trunk@15100 dcc99617-32d9-48b4-a31d-7c20da2025e4
---
 Open-ILS/src/perlmods/OpenILS/Application/Booking.pm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm b/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
index 37dd22ecf9..5b43117b6a 100644
--- a/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
+++ b/Open-ILS/src/perlmods/OpenILS/Application/Booking.pm
@@ -153,6 +153,9 @@ sub resource_list_by_attrs {
 
     return undef unless ($filters->{type} || $filters->{attribute_values});
 
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+
     my $query = {
         'select'   => { brsrc => [ 'id' ] },
         'from'     => { brsrc => {} },
@@ -284,6 +287,10 @@ sub reservation_list_by_filters {
 
     return undef unless ($filters->{user} || $filters->{resource} || $filters->{type} || $filters->{attribute_values});
 
+    my $e = new_editor(authtoken=>$auth);
+    return $e->event unless $e->checkauth;
+    return $e->event unless $e->allowed('VIEW_TRANSACTION');
+
     my $query = {
         'select'   => { bresv => [ 'id' ] },
         'from'     => { bresv => {} },
-- 
2.43.2