X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FController%2FOrder.pm;h=87a9e9cf4f836c36852ce3156b140c5bf26461a3;hb=3ad96f211f51589c061900f0dfad4cd1daedd2f6;hp=d605f666e67d39f6e740b055faa50fba4453ebd9;hpb=2065624062cd59d7d21a6e1f39ae433a9668301e;p=kivitendo-erp.git

diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm
index d605f666e..87a9e9cf4 100644
--- a/SL/Controller/Order.pm
+++ b/SL/Controller/Order.pm
@@ -56,6 +56,9 @@ use Rose::Object::MakeMethods::Generic
 # safety
 __PACKAGE__->run_before('check_auth');
 
+__PACKAGE__->run_before('check_auth_save',
+                        except => [ qw(edit show_customer_vendor_details_dialog price_popup load_second_rows) ]);
+
 __PACKAGE__->run_before('recalc',
                         only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_invoice_for_advance_payment save_and_final_invoice save_and_ap_transaction
                                      print send_email) ]);
@@ -301,7 +304,8 @@ sub action_print {
   my $doc_filename          = $form->generate_attachment_filename();
 
   my $doc;
-  my @errors = $self->generate_doc(\$doc, { format     => $format,
+  my @errors = $self->generate_doc(\$doc, { media      => $media,
+                                            format     => $format,
                                             formname   => $formname,
                                             language   => $self->order->language,
                                             printer_id => $printer_id,
@@ -368,7 +372,8 @@ sub action_preview_pdf {
   my $pdf_filename          = $form->generate_attachment_filename();
 
   my $pdf;
-  my @errors = $self->generate_doc(\$pdf, { format     => $format,
+  my @errors = $self->generate_doc(\$pdf, { media      => $media,
+                                            format     => $format,
                                             formname   => $formname,
                                             language   => $self->order->language,
                                           });
@@ -1368,6 +1373,17 @@ sub init_part_picker_classification_ids {
 sub check_auth {
   my ($self) = @_;
 
+  my $right_for = { map { $_ => $_.'_edit' . ' | ' . $_.'_view' } @{$self->valid_types} };
+
+  my $right   = $right_for->{ $self->type };
+  $right    ||= 'DOES_NOT_EXIST';
+
+  $::auth->assert($right);
+}
+
+sub check_auth_save {
+  my ($self) = @_;
+
   my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} };
 
   my $right   = $right_for->{ $self->type };
@@ -2016,6 +2032,11 @@ sub setup_edit_action_bar {
     $has_final_invoice               = any {'SL::DB::Invoice' eq ref $_ && "final_invoice" eq $_->type} @$lr;
   }
 
+  my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} };
+  my $right     = $right_for->{ $self->type };
+  $right      ||= 'DOES_NOT_EXIST';
+
+  if ($::auth->assert($right, 1)) {
   for my $bar ($::request->layout->get('actionbar')) {
     $bar->add(
       combobox => [
@@ -2162,6 +2183,12 @@ sub setup_edit_action_bar {
         only_if  => $deletion_allowed,
       ],
 
+    );
+  }
+  }
+
+  for my $bar ($::request->layout->get('actionbar')) {
+    $bar->add(
       combobox => [
         action => [
           t8('more')
@@ -2180,6 +2207,7 @@ sub setup_edit_action_bar {
       ], # end of combobox "more"
     );
   }
+
 }
 
 sub generate_doc {