# $locale->text('Workflow request_quotation');
# $locale->text('Workflow sales_quotation');
+my $oe_access_map = {
+ 'sales_order' => 'sales_order_edit',
+ 'purchase_order' => 'purchase_order_edit',
+ 'request_quotation' => 'request_quotation_edit',
+ 'sales_quotation' => 'sales_quotation_edit',
+};
+
+sub check_oe_access {
+ my $right = $oe_access_map->{$form->{type}};
+ $right ||= 'DOES_NOT_EXIST';
+
+ $auth->assert($right);
+}
+
sub set_headings {
$lxdebug->enter_sub();
+ check_oe_access();
+
my ($action) = @_;
if ($form->{type} eq 'purchase_order') {
sub add {
$lxdebug->enter_sub();
+ check_oe_access();
+
set_headings("add");
$form->{callback} =
- "$form->{script}?action=add&type=$form->{type}&vc=$form->{vc}&login=$form->{login}&password=$form->{password}"
+ "$form->{script}?action=add&type=$form->{type}&vc=$form->{vc}"
unless $form->{callback};
&order_links;
sub edit {
$lxdebug->enter_sub();
+
+ check_oe_access();
+
# show history button
$form->{javascript} = qq|<script type="text/javascript" src="js/show_history.js"></script>|;
#/show hhistory button
sub order_links {
$lxdebug->enter_sub();
+
+ check_oe_access();
+
# get customer/vendor
$form->all_vc(\%myconfig, $form->{vc}, ($form->{vc} eq 'customer') ? "AR" : "AP");
sub prepare_order {
$lxdebug->enter_sub();
+
+ check_oe_access();
+
$form->{formname} = $form->{type} unless $form->{formname};
my $i = 0;
$lxdebug->enter_sub();
my @custom_hiddens;
+ check_oe_access();
+
# Container for template variables. Unfortunately this has to be visible in form_footer too, so not my.
our %TMPL_VAR = ();
sub form_footer {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{invtotal} = $form->{invsubtotal};
$rows = max 2, $form->numtextrows($form->{notes}, 25, 8);
my ($recursive_call) = shift;
+ check_oe_access();
+
set_headings($form->{"id"} ? "edit" : "add");
map { $form->{$_} = $form->parse_amount(\%myconfig, $form->{$_}) } qw(exchangerate creditlimit creditremaining) unless $recursive_call;
sub search {
$lxdebug->enter_sub();
+ check_oe_access();
+
if ($form->{type} eq 'purchase_order') {
$form->{title} = $locale->text('Purchase Orders');
$form->{vc} = 'vendor';
<tr>
<td><input name="l_id" class=checkbox type=checkbox value=Y> | . $locale->text('ID') . qq|</td>
<td><input name="l_$ordnumber" class=checkbox type=checkbox value=Y checked> $ordlabel</td>
+ </tr>
+ <tr>
<td><input name="l_transdate" class=checkbox type=checkbox value=Y checked> | . $locale->text('Date') . qq|</td>
<td><input name="l_reqdate" class=checkbox type=checkbox value=Y checked> | . $locale->text('Required by') . qq|</td>
</tr>
<br>
<input type=hidden name=nextsub value=orders>
-<input type=hidden name=login value=$form->{login}>
-<input type=hidden name=password value=$form->{password}>
<input type=hidden name=vc value=$form->{vc}>
<input type=hidden name=type value=$form->{type}>
sub orders {
$lxdebug->enter_sub();
+ check_oe_access();
+
$ordnumber = ($form->{type} =~ /_order$/) ? "ordnumber" : "quonumber";
($form->{ $form->{vc} }, $form->{"${form->{vc}}_id"}) = split(/--/, $form->{ $form->{vc} });
sub check_delivered_flag {
$lxdebug->enter_sub();
+ check_oe_access();
+
if (($form->{type} ne 'sales_order') && ($form->{type} ne 'purchase_order')) {
return $lxdebug->leave_sub();
}
sub save_and_close {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{defaultcurrency} = $form->get_default_currency(\%myconfig);
if ($form->{type} =~ /_order$/) {
sub save {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{defaultcurrency} = $form->get_default_currency(\%myconfig);
sub delete {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->header;
if ($form->{type} =~ /_order$/) {
map { delete $form->{$_} } qw(action header);
foreach $key (keys %$form) {
+ next if (($key eq 'login') || ($key eq 'password') || ('' ne ref $form->{$key}));
$form->{$key} =~ s/\"/"/g;
print qq|<input type=hidden name=$key value="$form->{$key}">\n|;
}
sub delete_order_quotation {
$lxdebug->enter_sub();
+ check_oe_access();
+
if ($form->{type} =~ /_order$/) {
$msg = $locale->text('Order deleted!');
$err = $locale->text('Cannot delete order!');
sub invoice {
$lxdebug->enter_sub();
+ check_oe_access();
+ $auth->assert($form->{type} eq 'purchase_order' || $form->{type} eq 'request_quotation' ? 'vendor_invoice_edit' : 'invoice_edit');
+
$form->{old_employee_id} = $form->{employee_id};
$form->{old_salesman_id} = $form->{salesman_id};
sub backorder_exchangerate {
$lxdebug->enter_sub();
+
+ check_oe_access();
+
my ($orddate, $buysell) = @_;
$form->header;
map { delete $form->{$_} } qw(action header exchangerate);
foreach $key (keys %$form) {
+ next if (($key eq 'login') || ($key eq 'password') || ('' ne ref $form->{$key}));
$form->{$key} =~ s/\"/"/g;
print qq|<input type=hidden name=$key value="$form->{$key}">\n|;
}
print qq|
-<input type=hidden name=login value=$form->{login}>
-<input type=hidden name=password value=$form->{password}>
-
<input type=hidden name=exchangeratedate value=$orddate>
<input type=hidden name=buysell value=$buysell>
sub save_as_new {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{saveasnew} = 1;
$form->{closed} = 0;
map { delete $form->{$_} } qw(printed emailed queued);
sub check_for_direct_delivery_yes {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{direct_delivery_checked} = 1;
delete @{$form}{grep /^shipto/, keys %{ $form }};
map { s/^CFDD_//; $form->{$_} = $form->{"CFDD_${_}"} } grep /^CFDD_/, keys %{ $form };
sub check_for_direct_delivery_no {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{direct_delivery_checked} = 1;
delete @{$form}{grep /^shipto/, keys %{ $form }};
purchase_order();
sub check_for_direct_delivery {
$lxdebug->enter_sub();
+ check_oe_access();
+
if ($form->{direct_delivery_checked}
|| (!$form->{shiptoname} && !$form->{shiptostreet} && !$form->{shipto_id})) {
$lxdebug->leave_sub();
}
delete $form->{action};
- $form->{VARIABLES} = [ map { { "key" => $_, "value" => $form->{$_} } } grep { ref $_ eq "" } keys %{ $form } ];
+ $form->{VARIABLES} = [ map { { "key" => $_, "value" => $form->{$_} } } grep { ($_ ne 'login') && ($_ ne 'password') && (ref $_ eq "") } keys %{ $form } ];
$form->header();
print $form->parse_html_template("oe/check_for_direct_delivery");
sub purchase_order {
$lxdebug->enter_sub();
+ check_oe_access();
+ $auth->assert('purchase_order_edit');
+
if ($form->{type} eq 'sales_order') {
check_for_direct_delivery();
}
sub sales_order {
$lxdebug->enter_sub();
+ check_oe_access();
+ $auth->assert('sales_order_edit');
+
if ( $form->{type} eq 'sales_quotation'
|| $form->{type} eq 'request_quotation') {
OE->close_order(\%myconfig, $form);
sub poso {
$lxdebug->enter_sub();
+ check_oe_access();
+ $auth->assert('purchase_order_edit | sales_order_edit');
+
$form->{transdate} = $form->current_date(\%myconfig);
delete $form->{duedate};
sub e_mail {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{print_and_save} = 1;
$print_post = 1;
save();
- my %saved_vars;
- map({ $saved_vars{$_} = $form->{$_}; } qw(id ordnumber quonumber));
- restore_form($saved_form);
- map({ $form->{$_} = $saved_vars{$_}; } qw(id ordnumber quonumber));
+ restore_form($saved_form, 0, qw(id ordnumber quonumber));
edit_e_mail();
sub display_form {
$lxdebug->enter_sub();
+ check_oe_access();
+
$form->{"taxaccounts"} =~ s/\s*$//;
$form->{"taxaccounts"} =~ s/^\s*//;
foreach my $accno (split(/\s*/, $form->{"taxaccounts"})) {