From e664df4cb7d02b5e5c29890c62cd0cb5c4a8883e Mon Sep 17 00:00:00 2001 From: Chris Sharp Date: Tue, 14 Feb 2017 13:27:31 -0500 Subject: [PATCH] LP#16663435 - Stripe org settings lack view permissions. Unprivileged users can retrieve organizational unit setting values for setting types lacking a "view" permission. When the feature adding Stripe credit card processing was added, the upgrade script neglected to add the VIEW_CREDIT_CARD_PROCESSING permission to the organizational unit setting type (which was included in 0396.data.org-setting-payflowpro.sql). Fresh installs are not affected, but anyone who upgraded through 0863.data.stripe-payments.sql (included in the 2.5.3-2.6.0-upgrade-db.sql version upgrade script) and is using Stripe credit card processing should run this script. Signed-off-by: Chris Sharp Signed-off-by: Jason Stephenson Signed-off-by: Galen Charlton --- .../upgrade/XXXX.data.coust_view_perms_stripe.sql | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql new file mode 100644 index 0000000000..438ec3016d --- /dev/null +++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.coust_view_perms_stripe.sql @@ -0,0 +1,15 @@ +BEGIN; + +SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version); + +UPDATE config.org_unit_setting_type + SET view_perm = (SELECT id FROM permission.perm_list + WHERE code = 'VIEW_CREDIT_CARD_PROCESSING' LIMIT 1) + WHERE name LIKE 'credit.processor.stripe%' AND view_perm IS NULL; + +UPDATE config.org_unit_setting_type + SET update_perm = (SELECT id FROM permission.perm_list + WHERE code = 'ADMIN_CREDIT_CARD_PROCESSING' LIMIT 1) + WHERE name LIKE 'credit.processor.stripe%' AND update_perm IS NULL; + +COMMIT; -- 2.43.2