From 9800895cabade7ad8d78ff986a9a156f3962efa2 Mon Sep 17 00:00:00 2001
From: Christophe Croullebois <christophe.croullebois@biblibre.com>
Date: Thu, 8 Jun 2017 13:17:56 +0000
Subject: [PATCH] Bug 18756: Users can view aq.baskets even if they are not
 allowed

Due to bad use of grep syntax if there is one or more Basket Users the result of grep is not equal to 0 and the borrower is allowed.

Test plan :
1- select system preference 'AcqViewBaskets' on 'user'
2- create 2 borrowers (A, B) with only permissions on acquisition :
group_manage
order_manage
order_receive
staff
3- login with A and create a basket
4- add a basquet manager other than B
5- relog with account B
6- you can see the basket

Apply the patch.
The basket is no longer visible.
1- relog with A
2- add basquet manager B
3- relog with B
5- you must see the basket

Signed-off-by: Josef Moravec <josef.moravec@gmail.com>

Signed-off-by: Nick Clemens <nick@bywatersolutions.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
(cherry picked from commit 0c09adbfc87b950b9f08aebede131ba694997290)
Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com>
---
 C4/Acquisition.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/C4/Acquisition.pm b/C4/Acquisition.pm
index 4c2ead7281..ecd382ca2a 100644
--- a/C4/Acquisition.pm
+++ b/C4/Acquisition.pm
@@ -805,8 +805,8 @@ sub CanUserManageBasket {
 
         if ($AcqViewBaskets eq 'user'
         && $basket->{authorisedby} != $borrowernumber
-        && grep($borrowernumber, GetBasketUsers($basketno)) == 0) {
-            return 0;
+        && ! grep { $borrowernumber eq $_ } GetBasketUsers($basketno)) {
+             return 0;
         }
 
         if ($AcqViewBaskets eq 'branch' && defined $basket->{branch}
-- 
2.39.5