From 16927cd916a4bee17b4131e4eeeebbf9c18cf462 Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Mon, 24 May 2010 09:23:19 -0700
Subject: [PATCH] Make tokens and the EMS obey the token's view permissions. 
 Fixes bug #11583

---
 docs/changelog/7.x.x.txt                          | 1 +
 lib/WebGUI/Asset/Sku/EMSToken.pm                  | 2 +-
 lib/WebGUI/Asset/Wobject/EventManagementSystem.pm | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 46f0679d8..2c4fddd1d 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -4,6 +4,7 @@
  - fixed #11578: Collaboration System: add edit stamp uses wrong user
  - added #9774: More owner information in the gallery
  - fixed #11581: Calendar problems
+ - fixed #11583: EMS: Tokens do not follow their permissions
 
 7.9.5
  - Asset->www_copy now has a progress bar
diff --git a/lib/WebGUI/Asset/Sku/EMSToken.pm b/lib/WebGUI/Asset/Sku/EMSToken.pm
index 28bec87b4..38ccc1a4d 100644
--- a/lib/WebGUI/Asset/Sku/EMSToken.pm
+++ b/lib/WebGUI/Asset/Sku/EMSToken.pm
@@ -233,7 +233,7 @@ Takes form variable badgeId and add the token to the cart.
 
 sub www_addToCart {
 	my ($self) = @_;
-	return $self->session->privilege->noAccess() unless $self->getParent->canView;
+	return $self->session->privilege->noAccess() unless $self->getParent->canView && $self->canView;
 	my $badgeId = $self->session->form->get('badgeId');
 	$self->addToCart({badgeId=>$badgeId});
 	return $self->getParent->www_buildBadge($badgeId);
diff --git a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
index 1ccce1362..3c4713911 100644
--- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
+++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
@@ -1957,7 +1957,8 @@ sub www_getTokensAsJson {
     my ($db, $form) = $session->quick(qw(db form));
     my %results = ();
     $results{records} = [];  ##Initialize to an empty array
-	foreach my $token (@{$self->getTokens}) {
+	TOKEN: foreach my $token (@{$self->getTokens}) {
+        next TOKEN unless $token->canView;
 		push(@{$results{records}}, {
 			title 				=> $token->getTitle,
 			description			=> $token->get('description'),