# Permissions:
# - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say.
# - Exclude AP transactions if no permissions for them exist.
- # - Filter by employee if requested.
+ # - Limit to own invoices unless may edit all invoices.
+ # - If may edit all, allow filtering by employee.
my (@permission_where, @permission_values);
if ($::auth->assert('vendor_invoice_edit', 1)) {
push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices
}
- if ($form->{employee_id}) {
+ if (!$::auth->assert('purchase_all_edit', 1)) {
+ # only show own invoices
push @permission_where, "a.employee_id = ?";
- push @permission_values, conv_i($form->{employee_id});
+ push @permission_values, SL::DB::Manager::Employee->current->id;
+
+ } else {
+ if ($form->{employee_id}) {
+ push @permission_where, "a.employee_id = ?";
+ push @permission_values, conv_i($form->{employee_id});
+ }
}
}
sub action_get_delivery {
my ($self) = @_;
- $::auth->assert('sales_all_edit');
+ $::auth->assert('sales_all_edit') if $self->is_customer();
+ $::auth->assert('purchase_all_edit') if $self->is_vendor();
my $dbh = $::form->get_standard_dbh();
}
sub init_all_edit_right {
- $::auth->assert('sales_all_edit', 1)
+ return $_[0]->vc eq 'customer' ? $::auth->assert('sales_all_edit', 1) : $::auth->assert('purchase_all_edit', 1);
}
sub init_vc {
return $::form->{vc} if ($::form->{vc} eq 'customer' || $::form->{vc} eq 'vendor') || croak "self (DeliveryPlan) has no vc defined";
push @where, "dord.$item = ?";
push @values, conv_i($form->{$item});
}
- if (!$main::auth->assert('sales_all_edit', 1)) {
+ if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) {
push @where, qq|dord.employee_id = (select id from employee where login= ?)|;
push @values, $::myconfig{login};
}
push(@values, (like($form->{"cp_name"}))x2);
}
- if (!$main::auth->assert('sales_all_edit', 1)) {
+ if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) {
$query .= " AND o.employee_id = (select id from employee where login= ?)";
push @values, $::myconfig{login};
}
[%- INCLUDE 'common/flash.html' %]
+ [%- SET show_deliveries = ( SELF.cv.id && ((SELF.is_customer && AUTH.assert('sales_all_edit', 1)) || (SELF.is_vendor && AUTH.assert('purchase_all_edit', 1))) ) -%]
<div class="tabwidget" id="customer_vendor_tabs">
<ul>
<li><a href="#billing">[% 'Billing Address' | $T8 %]</a></li>
<li><a href="#bank">[% 'Bank account' | $T8 %]</a></li>
<li><a href="#shipto">[% 'Shipping Address' | $T8 %]</a></li>
<li><a href="#contacts">[% 'Contacts' | $T8 %]</a></li>
- [% IF ( SELF.cv.id && AUTH.assert('sales_all_edit', 1) ) %]
+ [% IF show_deliveries %]
<li><a href="#deliveries">[% 'Supplies' | $T8 %]</a></li>
[%- IF INSTANCE_CONF.get_doc_storage %]
<li><a href="controller.pl?action=File/list&file_type=attachment&object_type=[% FORM.db == 'vendor' ? 'vendor' : 'customer' %]&object_id=[% SELF.cv.id %]">[% 'Attachments' | $T8 %]</a></li>
[% PROCESS "customer_vendor/tabs/bank.html" %]
[% PROCESS "customer_vendor/tabs/shipto.html" %]
[% PROCESS "customer_vendor/tabs/contacts.html" %]
- [% IF ( SELF.cv.id && AUTH.assert('sales_all_edit', 1) ) %]
+ [% IF show_deliveries %]
[% PROCESS "customer_vendor/tabs/deliveries.html" %]
[% END %]
[% PROCESS "customer_vendor/tabs/vcnotes.html" %]