From: Bernd Bleßmann Date: Tue, 8 Mar 2022 15:46:56 +0000 (+0100) Subject: Recht: Ansehen von Lieferscheinen berücksichtigen (VK+EK/alter+neuer Controller) X-Git-Tag: kivitendo-mebil_0.1-0~10^2~2^2~147^2 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=2e19657a12d946c4e9cdd1466af1bbab992284ee;p=kivitendo-erp.git Recht: Ansehen von Lieferscheinen berücksichtigen (VK+EK/alter+neuer Controller) --- diff --git a/SL/Controller/DeliveryOrder.pm b/SL/Controller/DeliveryOrder.pm index 6d10bd1ed..c8075a688 100644 --- a/SL/Controller/DeliveryOrder.pm +++ b/SL/Controller/DeliveryOrder.pm @@ -58,6 +58,9 @@ use Rose::Object::MakeMethods::Generic __PACKAGE__->run_before('check_auth', except => [ qw(update_stock_information) ]); +__PACKAGE__->run_before('check_auth_for_edit', + except => [ qw(update_stock_information edit show_customer_vendor_details_dialog price_popup stock_in_out_dialog load_second_rows) ]); + __PACKAGE__->run_before('get_unalterable_data', only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_ap_transaction print send_email) ]); @@ -1223,7 +1226,13 @@ sub init_part_picker_classification_ids { sub check_auth { my ($self) = @_; - $::auth->assert($self->type_data->access || 'DOES_NOT_EXIST'); + $::auth->assert($self->type_data->access('view') || 'DOES_NOT_EXIST'); +} + +sub check_auth_for_edit { + my ($self) = @_; + + $::auth->assert($self->type_data->access('edit') || 'DOES_NOT_EXIST'); } # build the selection box for contacts @@ -1782,6 +1791,7 @@ sub setup_edit_action_bar { my ($self, %params) = @_; my $deletion_allowed = $self->type_data->show_menu("delete"); + my $may_edit_create = $::auth->assert($self->type_data->access('edit') || 'DOES_NOT_EXIST', 1); for my $bar ($::request->layout->get('actionbar')) { $bar->add( @@ -1791,11 +1801,13 @@ sub setup_edit_action_bar { call => [ 'kivi.DeliveryOrder.save', 'save', $::instance_conf->get_order_warn_duplicate_parts, $::instance_conf->get_order_warn_no_deliverydate, ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save as new'), call => [ 'kivi.DeliveryOrder.save', 'save_as_new', $::instance_conf->get_order_warn_duplicate_parts ], - disabled => $self->type eq 'supplier_delivery_order' ? t8('Need a workflow for Supplier Delivery Order') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $self->type eq 'supplier_delivery_order' ? t8('Need a workflow for Supplier Delivery Order') : !$self->order->id ? t8('This object has not been saved yet.') : undef, ], @@ -1809,21 +1821,25 @@ sub setup_edit_action_bar { t8('Save and Quotation'), submit => [ '#order_form', { action => "DeliveryOrder/sales_quotation" } ], only_if => $self->type_data->show_menu("save_and_quotation"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and RFQ'), submit => [ '#order_form', { action => "DeliveryOrder/request_for_quotation" } ], only_if => $self->type_data->show_menu("save_and_rfq"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Sales Order'), submit => [ '#order_form', { action => "DeliveryOrder/sales_order" } ], only_if => $self->type_data->show_menu("save_and_sales_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Purchase Order'), call => [ 'kivi.DeliveryOrder.purchase_order_check_for_direct_delivery' ], only_if => $self->type_data->show_menu("save_and_purchase_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Delivery Order'), @@ -1831,16 +1847,19 @@ sub setup_edit_action_bar { $::instance_conf->get_order_warn_no_deliverydate, ], only_if => $self->type_data->show_menu("save_and_delivery_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Invoice'), call => [ 'kivi.DeliveryOrder.save', 'save_and_invoice', $::instance_conf->get_order_warn_duplicate_parts ], only_if => $self->type_data->show_menu("save_and_invoice"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and AP Transaction'), call => [ 'kivi.DeliveryOrder.save', 'save_and_ap_transaction', $::instance_conf->get_order_warn_duplicate_parts ], only_if => $self->type_data->show_menu("save_and_ap_transaction"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], ], # end of combobox "Workflow" @@ -1854,12 +1873,14 @@ sub setup_edit_action_bar { call => [ 'kivi.DeliveryOrder.save', 'preview_pdf', $::instance_conf->get_order_warn_duplicate_parts, $::instance_conf->get_order_warn_no_deliverydate, ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and print'), call => [ 'kivi.DeliveryOrder.show_print_options', $::instance_conf->get_order_warn_duplicate_parts, $::instance_conf->get_order_warn_no_deliverydate, ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and E-mail'), @@ -1867,12 +1888,16 @@ sub setup_edit_action_bar { call => [ 'kivi.DeliveryOrder.save', 'save_and_show_email_dialog', $::instance_conf->get_order_warn_duplicate_parts, $::instance_conf->get_order_warn_no_deliverydate, ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, ], action => [ t8('Download attachments of all parts'), call => [ 'kivi.File.downloadOrderitemsFiles', $::form->{type}, $::form->{id} ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, only_if => $::instance_conf->get_doc_storage, ], ], # end of combobox "Export" @@ -1882,7 +1907,8 @@ sub setup_edit_action_bar { id => 'delete_action', call => [ 'kivi.DeliveryOrder.delete_order' ], confirm => $::locale->text('Do you really want to delete this object?'), - disabled => !$self->order->id ? t8('This object has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') : $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, only_if => $self->type_data->show_menu("delete"), @@ -1893,7 +1919,8 @@ sub setup_edit_action_bar { t8('Transfer out'), id => 'transfer_out_action', call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') : $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, only_if => $self->type_data->properties('transfer') eq 'out', @@ -1903,7 +1930,8 @@ sub setup_edit_action_bar { t8('Transfer in'), id => 'transfer_in_action', call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') : $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, only_if => $self->type_data->properties('transfer') eq 'in', diff --git a/SL/Controller/DeliveryOrder/TypeData.pm b/SL/Controller/DeliveryOrder/TypeData.pm index 4aa29251d..0650e08b3 100644 --- a/SL/Controller/DeliveryOrder/TypeData.pm +++ b/SL/Controller/DeliveryOrder/TypeData.pm @@ -51,7 +51,8 @@ sub properties { } sub access { - get($_[0]->c->type, "right"); + my ($self, $string) = @_; + get3($_[0]->c->type, "rights", $string); } sub is_quotation { diff --git a/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm b/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm index 0c26dd101..e5613609e 100644 --- a/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm +++ b/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::DeliveryOrder); use SL::Locale::String qw(t8); -sub auth { 'purchase_delivery_order_edit' } +sub auth { 'purchase_delivery_order_edit | purchase_delivery_order_edit' } sub name { 'purchase_delivery_order' } diff --git a/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm b/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm index 4895b882d..073a9c29e 100644 --- a/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm +++ b/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::DeliveryOrder); use SL::Locale::String qw(t8); -sub auth { 'sales_delivery_order_edit' } +sub auth { 'sales_delivery_order_edit | sales_delivery_order_view' } sub name { 'sales_delivery_order' } diff --git a/SL/DB/DeliveryOrder/TypeData.pm b/SL/DB/DeliveryOrder/TypeData.pm index 141085acb..8b523fb5a 100644 --- a/SL/DB/DeliveryOrder/TypeData.pm +++ b/SL/DB/DeliveryOrder/TypeData.pm @@ -47,7 +47,10 @@ my %type_data = ( transnumber => 'sdonumber', }, part_classification_query => [ "used_for_sale" => 1 ], - right => "sales_delivery_order_edit", + rights => { + edit => "sales_delivery_order_edit", + view => "sales_delivery_order_edit | sales_delivery_order_view", + }, }, PURCHASE_DELIVERY_ORDER_TYPE() => { text => { @@ -76,7 +79,10 @@ my %type_data = ( transnumber => 'pdonumber', }, part_classification_query => [ "used_for_purchase" => 1 ], - right => "purchase_delivery_order_edit", + rights => { + edit => "purchase_delivery_order_edit", + view => "purchase_delivery_order_edit | purchase_delivery_order_view", + }, }, SUPPLIER_DELIVERY_ORDER_TYPE() => { text => { @@ -105,7 +111,10 @@ my %type_data = ( transnumber => 'sudonumber', }, part_classification_query => [ "used_for_purchase" => 1 ], - right => "purchase_delivery_order_edit", + rights => { + edit => "purchase_delivery_order_edit", + view => "purchase_delivery_order_edit | purchase_delivery_order_view", + }, }, RMA_DELIVERY_ORDER_TYPE() => { text => { @@ -134,7 +143,10 @@ my %type_data = ( transnumber => 'rdonumber', }, part_classification_query => [ "used_for_sale" => 1 ], - right => "sales_delivery_order_edit", + rights => { + edit => "sales_delivery_order_edit", + view => "sales_delivery_order_edit | sales_delivery_order_view", + }, }, ); diff --git a/SL/DO.pm b/SL/DO.pm index ac3f34bd9..ebc605159 100644 --- a/SL/DO.pm +++ b/SL/DO.pm @@ -134,7 +134,8 @@ sub transactions { push @where, "dord.$item = ?"; push @values, conv_i($form->{$item}); } - if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) { + if ( !( ($vc eq 'customer' && ($main::auth->assert('sales_all_edit', 1) || $main::auth->assert('sales_delivery_order_view', 1))) + || ($vc eq 'vendor' && ($main::auth->assert('purchase_all_edit', 1) || $main::auth->assert('purchase_delivery_order_view', 1))) ) ) { push @where, qq|dord.employee_id = (select id from employee where login= ?)|; push @values, $::myconfig{login}; } diff --git a/bin/mozilla/do.pl b/bin/mozilla/do.pl index 9b5943f5b..581ec5b37 100644 --- a/bin/mozilla/do.pl +++ b/bin/mozilla/do.pl @@ -57,10 +57,17 @@ use strict; # end of main +sub check_do_access_for_edit { + validate_type($::form->{type}); + + my $right = SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "edit"); + $main::auth->assert($right); +} + sub check_do_access { validate_type($::form->{type}); - my $right = SL::DB::DeliveryOrder::TypeData::get($::form->{type}, "right"); + my $right = SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "view"); $main::auth->assert($right); } @@ -90,7 +97,7 @@ sub set_headings { sub add { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); if (($::form->{type} =~ /purchase/) && !$::instance_conf->get_allow_new_purchase_invoice) { $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); @@ -254,11 +261,15 @@ sub setup_do_action_bar { if (ref $undo_date eq 'DateTime' && ref $insertdate eq 'DateTime') { $undo_transfer = $insertdate > $undo_date; } + + my $may_edit_create = $::auth->assert(SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "edit"), 1); + for my $bar ($::request->layout->get('actionbar')) { $bar->add( action => [ t8('Update'), submit => [ '#form', { action => "update" } ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, id => 'update_button', accesskey => 'enter', ], @@ -268,20 +279,24 @@ sub setup_do_action_bar { t8('Save'), submit => [ '#form', { action => "save" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, ], action => [ t8('Save as new'), submit => [ '#form', { action => "save_as_new" } ], checks => [ 'kivi.validate_form' ], - disabled => !$::form->{id}, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id}, ], action => [ t8('Mark as closed'), submit => [ '#form', { action => "mark_closed" } ], checks => [ 'kivi.validate_form' ], confirm => t8('This will remove the delivery order from showing as open even if contents are not delivered. Proceed?'), - disabled => !$::form->{id} ? t8('This record has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') : $::form->{closed} ? t8('This record has already been closed.') : undef, ], @@ -291,7 +306,8 @@ sub setup_do_action_bar { t8('Delete'), submit => [ '#form', { action => "delete" } ], confirm => t8('Do you really want to delete this object?'), - disabled => !$::form->{id} ? t8('This record has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') : $::form->{delivered} ? t8('This record has already been delivered.') : ($::form->{vc} eq 'customer' && !$::instance_conf->get_sales_delivery_order_show_delete) ? t8('Deleting this type of record has been disabled in the configuration.') : ($::form->{vc} eq 'vendor' && !$::instance_conf->get_purchase_delivery_order_show_delete) ? t8('Deleting this type of record has been disabled in the configuration.') @@ -303,28 +319,36 @@ sub setup_do_action_bar { t8('Transfer out'), submit => [ '#form', { action => "transfer_out" } ], checks => [ 'kivi.validate_form', @transfer_qty ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => $is_customer, ], action => [ t8('Transfer out via default'), submit => [ '#form', { action => "transfer_out_default" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => $is_customer && $::instance_conf->get_transfer_default, ], action => [ t8('Transfer in'), submit => [ '#form', { action => "transfer_in" } ], checks => [ 'kivi.validate_form', @transfer_qty ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => !$is_customer, ], action => [ t8('Transfer in via default'), submit => [ '#form', { action => "transfer_in_default" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => !$is_customer && $::instance_conf->get_transfer_default, ], action => [ @@ -332,7 +356,9 @@ sub setup_do_action_bar { submit => [ '#form', { action => "delete_transfers" } ], checks => [ 'kivi.validate_form' ], only_if => $::form->{delivered}, - disabled => !$undo_transfer ? t8('Transfer date exceeds the maximum allowed interval.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$undo_transfer ? t8('Transfer date exceeds the maximum allowed interval.') + : undef, ], ], # end of combobox "Transfer out" @@ -353,14 +379,17 @@ sub setup_do_action_bar { action => [ t8('Export') ], action => [ t8('Print'), - call => [ 'kivi.SalesPurchase.show_print_dialog' ], - checks => [ 'kivi.validate_form' ], + call => [ 'kivi.SalesPurchase.show_print_dialog' ], + checks => [ 'kivi.validate_form' ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('E Mail'), call => [ 'kivi.SalesPurchase.show_email_dialog' ], checks => [ 'kivi.validate_form' ], - disabled => !$::form->{id} ? t8('This record has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') + : undef, ], ], # end of combobox "Export" @@ -913,7 +942,7 @@ sub save { my (%params) = @_; - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -995,7 +1024,7 @@ sub save { sub delete { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -1021,7 +1050,7 @@ sub delete { sub delete_transfers { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -1275,7 +1304,7 @@ sub invoice_multi { sub save_as_new { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; diff --git a/menus/user/00-erp.yaml b/menus/user/00-erp.yaml index ecaaa3185..10d356b1b 100644 --- a/menus/user/00-erp.yaml +++ b/menus/user/00-erp.yaml @@ -295,7 +295,7 @@ name: Delivery Orders icon: delivery_order_report order: 400 - access: sales_delivery_order_edit + access: sales_delivery_order_edit | sales_delivery_order_view module: do.pl params: action: search @@ -465,7 +465,7 @@ id: ap_reports_delivery_orders name: Delivery Orders order: 300 - access: purchase_delivery_order_edit + access: purchase_delivery_order_edit | purchase_delivery_order_view module: do.pl params: action: search @@ -474,7 +474,7 @@ id: ap_reports_supplier_delivery_orders name: Supplier Delivery Orders order: 350 - access: purchase_delivery_order_edit + access: purchase_delivery_order_edit | purchase_delivery_order_view module: do.pl params: action: search