Revert "Zeiterfassung: SimpleSystemSettings für Typen"

[kivitendo-erp.git] / SL / Controller / TimeRecording.pm

diff --git a/SL/Controller/TimeRecording.pm b/SL/Controller/TimeRecording.pm
index 0a171a6..44d54ca 100644 (file)
--- a/SL/Controller/TimeRecording.pm
+++ b/SL/Controller/TimeRecording.pm
@@ -18,12 +18,13 @@ use SL::ReportGenerator;
 use Rose::Object::MakeMethods::Generic
 (
 # scalar                  => [ qw() ],
- 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees) ],
+ 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees can_view_all can_edit_all) ],
 );
 
 
 # safety
 __PACKAGE__->run_before('check_auth');
+__PACKAGE__->run_before('check_auth_edit', only => [ qw(edit save delete) ]);
 
 #
 # actions
@@ -102,8 +103,9 @@ sub action_delete {
 }
 
 sub init_time_recording {
-  my $time_recording = ($::form->{id}) ? SL::DB::TimeRecording->new(id => $::form->{id})->load
-                                       : SL::DB::TimeRecording->new(start_time => DateTime->now_local);
+  my $is_new         = !$::form->{id};
+  my $time_recording = $is_new ? SL::DB::TimeRecording->new(start_time => DateTime->now_local)
+                               : SL::DB::TimeRecording->new(id => $::form->{id})->load;
 
   my %attributes = %{ $::form->{time_recording} || {} };
 
@@ -119,18 +121,36 @@ sub init_time_recording {
     }
   }
 
-  $attributes{staff_member_id} = $attributes{employee_id} = SL::DB::Manager::Employee->current->id;
+  # do not overwright staff member if you do not have the right
+  delete $attributes{staff_member_id} if !$_[0]->can_edit_all;
+  $attributes{staff_member_id} = SL::DB::Manager::Employee->current->id if $is_new;
+
+  $attributes{employee_id}     = SL::DB::Manager::Employee->current->id;
 
   $time_recording->assign_attributes(%attributes);
 
   return $time_recording;
 }
 
+sub init_can_view_all {
+  $::auth->assert('time_recording_show_all', 1) || $::auth->assert('time_recording_edit_all', 1)
+}
+
+sub init_can_edit_all {
+  $::auth->assert('time_recording_edit_all', 1)
+}
+
 sub init_models {
+  my ($self) = @_;
+
+  my @where;
+  push @where, (staff_member_id => SL::DB::Manager::Employee->current->id) if !$self->can_view_all;
+
   SL::Controller::Helper::GetModels->new(
     controller     => $_[0],
     sorted         => \%sort_columns,
     disable_plugin => 'paginated',
+    query          => \@where,
     with_objects   => [ 'customer', 'type', 'project', 'staff_member', 'employee' ],
   );
 }
@@ -147,6 +167,14 @@ sub check_auth {
   $::auth->assert('time_recording');
 }
 
+sub check_auth_edit {
+  my ($self) = @_;
+
+  if (!$self->can_edit_all && ($self->time_recording->staff_member_id != SL::DB::Manager::Employee->current->id)) {
+    $::form->error(t8('You do not have permission to access this entry.'));
+  }
+}
+
 sub prepare_report {
   my ($self) = @_;
 
@@ -186,7 +214,7 @@ sub prepare_report {
   $report->set_options_from_form;
 
   $self->models->disable_plugin('paginated') if $report->{options}{output_format} =~ /^(pdf|csv)$/i;
-  #$self->models->add_additional_url_params();
+  $self->models->add_additional_url_params(filter => $::form->{filter});
   $self->models->finalize;
   $self->models->set_report_generator_sort_options(report => $report, sortable_columns => [keys %sort_columns]);