From: Bernd Bleßmann <bernd@kivitendo-premium.de>
Date: Mon, 7 Mar 2022 10:02:53 +0000 (+0100)
Subject: Recht: Ansehen von Einkaufsrechnungen berücksichtigen
X-Git-Tag: kivitendo-mebil_0.1-0~10^2~2^2~147^2~3
X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;ds=sidebyside;h=d53d7a0a5ddc16d962ae32326ad4a8f8bf871978;p=kivitendo-erp.git

Recht: Ansehen von Einkaufsrechnungen berücksichtigen
---

diff --git a/SL/AP.pm b/SL/AP.pm
index a77906c96..c2b5e6440 100644
--- a/SL/AP.pm
+++ b/SL/AP.pm
@@ -487,16 +487,16 @@ sub ap_transactions {
   # Permissions:
   # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say.
   # - Exclude AP transactions if no permissions for them exist.
-  # - Limit to own invoices unless may edit all invoices.
-  # - If may edit all, allow filtering by employee.
+  # - Limit to own invoices unless may edit all invoices or view invoices is allowed.
+  # - If may edit all or view invoices is allowed, allow filtering by employee.
   my (@permission_where, @permission_values);
 
-  if ($::auth->assert('vendor_invoice_edit', 1)) {
+  if ($::auth->assert('vendor_invoice_edit', 1) || $::auth->assert('purchase_invoice_view', 1)) {
     if (!$::auth->assert('show_ap_transactions', 1)) {
       push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices
     }
 
-    if (!$::auth->assert('purchase_all_edit', 1)) {
+    if (!$::auth->assert('purchase_all_edit', 1) && !$::auth->assert('purchase_invoice_view', 1)) {
       # only show own invoices
       push @permission_where,  "a.employee_id = ?";
       push @permission_values, SL::DB::Manager::Employee->current->id;
@@ -509,7 +509,7 @@ sub ap_transactions {
     }
   }
 
-  if (@permission_where || !$::auth->assert('vendor_invoice_edit', 1)) {
+  if (@permission_where || (!$::auth->assert('vendor_invoice_edit', 1) && !$::auth->assert('purchase_invoice_view', 1))) {
     my $permission_where_str = @permission_where ? "OR (" . join(" AND ", map { "($_)" } @permission_where) . ")" : "";
     $where .= qq|
       AND (   (a.globalproject_id IN (
diff --git a/bin/mozilla/ir.pl b/bin/mozilla/ir.pl
index cca6d12f1..1b9a782ad 100644
--- a/bin/mozilla/ir.pl
+++ b/bin/mozilla/ir.pl
@@ -56,9 +56,10 @@ use strict;
 # end of main
 
 sub _may_view_or_edit_this_invoice {
-  return 1 if  $::auth->assert('ap_transactions', 1); # may edit all invoices
-  return 0 if !$::form->{id};                         # creating new invoices isn't allowed without invoice_edit
-  return 0 if !$::form->{globalproject_id};           # existing records without a project ID are not allowed
+  return 1 if  $::auth->assert('ap_transactions', 1);       # may edit all invoices
+  return 0 if !$::form->{id};                               # creating new invoices isn't allowed without invoice_edit
+  return 1 if  $::auth->assert('purchase_invoice_view', 1); # viewing is allowed with this right
+  return 0 if !$::form->{globalproject_id};                 # existing records without a project ID are not allowed
   return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current);
 }