From 00f1a3023f143b1f2fcb854ceb45d0a2e1d48f2a Mon Sep 17 00:00:00 2001 From: Christophe Croullebois Date: Thu, 8 Jun 2017 13:17:56 +0000 Subject: [PATCH] Bug 18756: Users can view aq.baskets even if they are not allowed Due to bad use of grep syntax if there is one or more Basket Users the result of grep is not equal to 0 and the borrower is allowed. Test plan : 1- select system preference 'AcqViewBaskets' on 'user' 2- create 2 borrowers (A, B) with only permissions on acquisition : group_manage order_manage order_receive staff 3- login with A and create a basket 4- add a basquet manager other than B 5- relog with account B 6- you can see the basket Apply the patch. The basket is no longer visible. 1- relog with A 2- add basquet manager B 3- relog with B 5- you must see the basket Signed-off-by: Josef Moravec Signed-off-by: Nick Clemens Signed-off-by: Mason James --- C4/Acquisition.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm index 047db8871f..30fba207c9 100644 --- a/C4/Acquisition.pm +++ b/C4/Acquisition.pm @@ -792,8 +792,8 @@ sub CanUserManageBasket { if ($AcqViewBaskets eq 'user' && $basket->{authorisedby} != $borrowernumber - && grep($borrowernumber, GetBasketUsers($basketno)) == 0) { - return 0; + && ! grep { $borrowernumber eq $_ } GetBasketUsers($basketno)) { + return 0; } if ($AcqViewBaskets eq 'branch' && defined $basket->{branch} -- 2.39.5