X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FAP.pm;h=79b1fa802d45bc862e30307c288d66672a14b827;hb=c6913fd763664cb1d352c80317d3266c2af7dadc;hp=96e0c70a4e4a8f6b58df25eaadf16c8275e45229;hpb=25517b3d6cab7eb6c01a512979970ea4075e4a34;p=kivitendo-erp.git diff --git a/SL/AP.pm b/SL/AP.pm index 96e0c70a4..79b1fa802 100644 --- a/SL/AP.pm +++ b/SL/AP.pm @@ -478,7 +478,8 @@ sub ap_transactions { # Permissions: # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say. # - Exclude AP transactions if no permissions for them exist. - # - Filter by employee if requested. + # - Limit to own invoices unless may edit all invoices. + # - If may edit all, allow filtering by employee. my (@permission_where, @permission_values); if ($::auth->assert('vendor_invoice_edit', 1)) { @@ -486,9 +487,16 @@ sub ap_transactions { push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices } - if ($form->{employee_id}) { + if (!$::auth->assert('purchase_all_edit', 1)) { + # only show own invoices push @permission_where, "a.employee_id = ?"; - push @permission_values, conv_i($form->{employee_id}); + push @permission_values, SL::DB::Manager::Employee->current->id; + + } else { + if ($form->{employee_id}) { + push @permission_where, "a.employee_id = ?"; + push @permission_values, conv_i($form->{employee_id}); + } } } @@ -548,6 +556,14 @@ sub ap_transactions { $where .= " AND a.transdate <= ?"; push(@values, trim($form->{transdateto})); } + if ($form->{duedatefrom}) { + $where .= " AND a.duedate >= ?"; + push(@values, trim($form->{duedatefrom})); + } + if ($form->{duedateto}) { + $where .= " AND a.duedate <= ?"; + push(@values, trim($form->{duedateto})); + } if ($form->{open} || $form->{closed}) { unless ($form->{open} && $form->{closed}) { $where .= " AND a.amount <> a.paid" if ($form->{open});