use SL::FU;
use SL::IR;
use SL::IS;
+use SL::DB::BankTransactionAccTrans;
use SL::DB::Default;
use SL::DB::Department;
use SL::DB::PurchaseInvoice;
# end of main
+sub _may_view_or_edit_this_invoice {
+ return 1 if $::auth->assert('ap_transactions', 1); # may edit all invoices
+ return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit
+ return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed
+ return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current);
+}
+
+sub _assert_access {
+ my $cache = $::request->cache('ap.pl::_assert_access');
+
+ $cache->{_may_view_or_edit_this_invoice} = _may_view_or_edit_this_invoice() if !exists $cache->{_may_view_or_edit_this_invoice};
+ $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")) if ! $cache->{_may_view_or_edit_this_invoice};
+}
+
sub add {
$main::lxdebug->enter_sub();
sub edit {
$main::lxdebug->enter_sub();
+ # Delay access check to after the invoice's been loaded in
+ # "create_links" so that project-specific invoice rights can be
+ # evaluated.
+
my $form = $main::form;
my $locale = $main::locale;
- $main::auth->assert('vendor_invoice_edit');
-
$form->{show_details} = $::myconfig{show_form_details};
# show history button
sub invoice_links {
$main::lxdebug->enter_sub();
+ # Delay access check to after the invoice's been loaded so that
+ # project-specific invoice rights can be evaluated.
+
my $form = $main::form;
my %myconfig = %main::myconfig;
- $main::auth->assert('vendor_invoice_edit');
-
$form->{vc} = 'vendor';
# create links
$form->create_links("AP", \%myconfig, "vendor");
+ _assert_access();
+
$form->backup_vars(qw(payment_id language_id taxzone_id
currency delivery_term_id intnotes cp_id));
sub prepare_invoice {
$main::lxdebug->enter_sub();
+ _assert_access();
+
my $form = $main::form;
my %myconfig = %main::myconfig;
- $main::auth->assert('vendor_invoice_edit');
-
$form->{type} = "purchase_invoice";
if ($form->{id}) {
my $change_on_same_day_only = $::instance_conf->get_ir_changeable == 2 && ($form->current_date(\%::myconfig) ne $form->{gldate});
my $has_storno = ($::form->{storno} && !$::form->{storno_id});
my $payments_balanced = ($::form->{oldtotalpaid} == 0);
+ my $may_edit_create = $::auth->assert('vendor_invoice_edit', 1);
my $has_sepa_exports;
-
if ($form->{id}) {
my $invoice = SL::DB::Manager::PurchaseInvoice->find_by(id => $form->{id});
$has_sepa_exports = 1 if ($invoice->find_sepa_export_items()->[0]);
}
+ my $is_linked_bank_transaction;
+ if ($::form->{id}
+ && SL::DB::Default->get->payments_changeable != 0
+ && SL::DB::Manager::BankTransactionAccTrans->find_by(ap_id => $::form->{id})) {
+
+ $is_linked_bank_transaction = 1;
+ }
for my $bar ($::request->layout->get('actionbar')) {
$bar->add(
action => [
checks => [ 'kivi.validate_form' ],
id => 'update_button',
accesskey => 'enter',
+ disabled => !$may_edit_create ? t8('You must not change this invoice.') : undef,
],
combobox => [
submit => [ '#form', { action => "post" } ],
checks => [ 'kivi.validate_form' ],
checks => [ 'kivi.validate_form', 'kivi.AP.check_fields_before_posting', 'kivi.AP.check_duplicate_invnumber' ],
-
- disabled => $form->{locked} ? t8('The billing period has already been locked.')
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : $form->{locked} ? t8('The billing period has already been locked.')
: $form->{storno} ? t8('A canceled invoice cannot be posted.')
: ($form->{id} && $change_never) ? t8('Changing invoices has been disabled in the configuration.')
: ($form->{id} && $change_on_same_day_only) ? t8('Invoices can only be changed on the day they are posted.')
+ : $is_linked_bank_transaction ? t8('This transaction is linked with a bank transaction. Please undo and redo the bank transaction booking if needed.')
: undef,
],
action => [
t8('Post Payment'),
submit => [ '#form', { action => "post_payment" } ],
checks => [ 'kivi.validate_form' ],
- disabled => !$form->{id} ? t8('This invoice has not been posted yet.') : undef,
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : !$form->{id} ? t8('This invoice has not been posted yet.')
+ : $is_linked_bank_transaction ? t8('This transaction is linked with a bank transaction. Please undo and redo the bank transaction booking if needed.')
+ : undef,
],
action => [
t8('Mark as paid'),
submit => [ '#form', { action => "mark_as_paid" } ],
checks => [ 'kivi.validate_form' ],
confirm => t8('This will remove the invoice from showing as unpaid even if the unpaid amount does not match the amount. Proceed?'),
- disabled => !$form->{id} ? t8('This invoice has not been posted yet.') : undef,
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : !$form->{id} ? t8('This invoice has not been posted yet.')
+ : undef,
only_if => $::instance_conf->get_ir_show_mark_as_paid,
],
], # end of combobox "Post"
submit => [ '#form', { action => "storno" } ],
checks => [ 'kivi.validate_form' ],
confirm => t8('Do you really want to cancel this invoice?'),
- disabled => !$form->{id} ? t8('This invoice has not been posted yet.')
- : $has_sepa_exports ? t8('This invoice has been linked with a sepa export, undo this first.')
- : !$payments_balanced ? t8('Cancelling is disallowed. Either undo or balance the current payments until the open amount matches the invoice amount')
- : undef,
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : !$form->{id} ? t8('This invoice has not been posted yet.')
+ : $has_sepa_exports ? t8('This invoice has been linked with a sepa export, undo this first.')
+ : !$payments_balanced ? t8('Cancelling is disallowed. Either undo or balance the current payments until the open amount matches the invoice amount')
+ : undef,
],
action => [ t8('Delete'),
submit => [ '#form', { action => "delete" } ],
checks => [ 'kivi.validate_form' ],
confirm => t8('Do you really want to delete this object?'),
- disabled => !$form->{id} ? t8('This invoice has not been posted yet.')
- : $form->{locked} ? t8('The billing period has already been locked.')
- : $change_never ? t8('Changing invoices has been disabled in the configuration.')
- : $change_on_same_day_only ? t8('Invoices can only be changed on the day they are posted.')
- : $has_sepa_exports ? t8('This invoice has been linked with a sepa export, undo this first.')
- : $has_storno ? t8('Can only delete the "Storno zu" part of the cancellation pair.')
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : !$form->{id} ? t8('This invoice has not been posted yet.')
+ : $form->{locked} ? t8('The billing period has already been locked.')
+ : $change_never ? t8('Changing invoices has been disabled in the configuration.')
+ : $change_on_same_day_only ? t8('Invoices can only be changed on the day they are posted.')
+ : $has_sepa_exports ? t8('This invoice has been linked with a sepa export, undo this first.')
+ : $has_storno ? t8('Can only delete the "Storno zu" part of the cancellation pair.')
+ : $is_linked_bank_transaction ? t8('This transaction is linked with a bank transaction. Please undo and redo the bank transaction booking if needed.')
: undef,
],
], # end of combobox "Storno"
t8('Use As New'),
submit => [ '#form', { action => "use_as_new" } ],
checks => [ 'kivi.validate_form' ],
- disabled => !$form->{id} ? t8('This invoice has not been posted yet.') : undef,
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : !$form->{id} ? t8('This invoice has not been posted yet.')
+ : undef,
],
], # end of combobox "Workflow"
action => [
t8('Drafts'),
call => [ 'kivi.Draft.popup', 'ir', 'invoice', $::form->{draft_id}, $::form->{draft_description} ],
- disabled => $form->{id} ? t8('This invoice has already been posted.')
- : $form->{locked} ? t8('The billing period has already been locked.')
- : undef,
+ disabled => !$may_edit_create ? t8('You must not change this invoice.')
+ : $form->{id} ? t8('This invoice has already been posted.')
+ : $form->{locked} ? t8('The billing period has already been locked.')
+ : undef,
],
], # end of combobox "more"
);
sub form_header {
$main::lxdebug->enter_sub();
+ _assert_access();
+
my $form = $main::form;
my %myconfig = %main::myconfig;
my $locale = $main::locale;
my $cgi = $::request->{cgi};
- $main::auth->assert('vendor_invoice_edit');
-
my %TMPL_VAR = ();
my @custom_hiddens;
sub form_footer {
$main::lxdebug->enter_sub();
+ _assert_access();
+
my $form = $main::form;
my %myconfig = %main::myconfig;
my $locale = $main::locale;
- $main::auth->assert('vendor_invoice_edit');
-
$form->{invtotal} = $form->{invsubtotal};
$form->{oldinvtotal} = $form->{invtotal};
sub display_form {
$::lxdebug->enter_sub;
- $::auth->assert('vendor_invoice_edit');
+ _assert_access();
relink_accounts();
projects / kivitendo-erp.git / blobdiff