From: Bernd Bleßmann Date: Wed, 2 Mar 2022 15:17:54 +0000 (+0100) Subject: Recht: Ansehen von Belegen bei Angebot und Auftrag berücksichtigen X-Git-Tag: kivitendo-mebil_0.1-0~10^2~2^2~147^2~9 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=3ad96f211f51589c061900f0dfad4cd1daedd2f6;p=kivitendo-erp.git Recht: Ansehen von Belegen bei Angebot und Auftrag berücksichtigen Ansehen nur im neuen Auftrags-Controller --- diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm index 6571eecf8..87a9e9cf4 100644 --- a/SL/Controller/Order.pm +++ b/SL/Controller/Order.pm @@ -56,6 +56,9 @@ use Rose::Object::MakeMethods::Generic # safety __PACKAGE__->run_before('check_auth'); +__PACKAGE__->run_before('check_auth_save', + except => [ qw(edit show_customer_vendor_details_dialog price_popup load_second_rows) ]); + __PACKAGE__->run_before('recalc', only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_invoice_for_advance_payment save_and_final_invoice save_and_ap_transaction print send_email) ]); @@ -1370,6 +1373,17 @@ sub init_part_picker_classification_ids { sub check_auth { my ($self) = @_; + my $right_for = { map { $_ => $_.'_edit' . ' | ' . $_.'_view' } @{$self->valid_types} }; + + my $right = $right_for->{ $self->type }; + $right ||= 'DOES_NOT_EXIST'; + + $::auth->assert($right); +} + +sub check_auth_save { + my ($self) = @_; + my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} }; my $right = $right_for->{ $self->type }; @@ -2018,6 +2032,11 @@ sub setup_edit_action_bar { $has_final_invoice = any {'SL::DB::Invoice' eq ref $_ && "final_invoice" eq $_->type} @$lr; } + my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} }; + my $right = $right_for->{ $self->type }; + $right ||= 'DOES_NOT_EXIST'; + + if ($::auth->assert($right, 1)) { for my $bar ($::request->layout->get('actionbar')) { $bar->add( combobox => [ @@ -2164,6 +2183,12 @@ sub setup_edit_action_bar { only_if => $deletion_allowed, ], + ); + } + } + + for my $bar ($::request->layout->get('actionbar')) { + $bar->add( combobox => [ action => [ t8('more') @@ -2182,6 +2207,7 @@ sub setup_edit_action_bar { ], # end of combobox "more" ); } + } sub generate_doc { diff --git a/SL/Controller/TopQuickSearch/PurchaseOrder.pm b/SL/Controller/TopQuickSearch/PurchaseOrder.pm index 4013c8a9e..f64fb8366 100644 --- a/SL/Controller/TopQuickSearch/PurchaseOrder.pm +++ b/SL/Controller/TopQuickSearch/PurchaseOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'purchase_order_edit' } +sub auth { 'purchase_order_edit | purchase_order_view' } sub name { 'purchase_order' } diff --git a/SL/Controller/TopQuickSearch/RequestForQuotation.pm b/SL/Controller/TopQuickSearch/RequestForQuotation.pm index 3b2adefd3..d9571008c 100644 --- a/SL/Controller/TopQuickSearch/RequestForQuotation.pm +++ b/SL/Controller/TopQuickSearch/RequestForQuotation.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'request_quotation_edit' } +sub auth { 'request_quotation_edit | request_quotation_view' } sub name { 'request_quotation' } diff --git a/SL/Controller/TopQuickSearch/SalesOrder.pm b/SL/Controller/TopQuickSearch/SalesOrder.pm index 1f5296ea2..8f91e6e08 100644 --- a/SL/Controller/TopQuickSearch/SalesOrder.pm +++ b/SL/Controller/TopQuickSearch/SalesOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'sales_order_edit' } +sub auth { 'sales_order_edit | sales_order_view' } sub name { 'sales_order' } diff --git a/SL/Controller/TopQuickSearch/SalesQuotation.pm b/SL/Controller/TopQuickSearch/SalesQuotation.pm index 28ec9fd17..f7a6b777a 100644 --- a/SL/Controller/TopQuickSearch/SalesQuotation.pm +++ b/SL/Controller/TopQuickSearch/SalesQuotation.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'sales_quotation_edit' } +sub auth { 'sales_quotation_edit | sales_quotation_view' } sub name { 'sales_quotation' } diff --git a/bin/mozilla/oe.pl b/bin/mozilla/oe.pl index 96764ebdf..610215b42 100644 --- a/bin/mozilla/oe.pl +++ b/bin/mozilla/oe.pl @@ -84,10 +84,18 @@ my $oe_access_map = { 'sales_quotation' => 'sales_quotation_edit', }; +my $oe_view_access_map = { + 'sales_order' => 'sales_order_edit | sales_order_view', + 'purchase_order' => 'purchase_order_edit | purchase_order_view', + 'request_quotation' => 'request_quotation_edit | request_quotation_view', + 'sales_quotation' => 'sales_quotation_edit | sales_quotation_view', +}; + sub check_oe_access { + my (%params) = @_; my $form = $main::form; - my $right = $oe_access_map->{$form->{type}}; + my $right = ($params{with_view}) ? $oe_view_access_map->{$form->{type}} : $oe_access_map->{$form->{type}}; $right ||= 'DOES_NOT_EXIST'; $main::auth->assert($right); @@ -926,7 +934,7 @@ sub search { my %myconfig = %main::myconfig; my $locale = $main::locale; - check_oe_access(); + check_oe_access(with_view => 1); if ($form->{type} eq 'purchase_order') { $form->{vc} = 'vendor'; @@ -1017,7 +1025,7 @@ sub orders { my $cgi = $::request->{cgi}; my %params = @_; - check_oe_access(); + check_oe_access(with_view => 1); my $ordnumber = ($form->{type} =~ /_order$/) ? "ordnumber" : "quonumber"; diff --git a/menus/user/00-erp.yaml b/menus/user/00-erp.yaml index 985b2cc2a..ecaaa3185 100644 --- a/menus/user/00-erp.yaml +++ b/menus/user/00-erp.yaml @@ -275,7 +275,7 @@ name: Quotations icon: report_quotations order: 200 - access: sales_quotation_edit + access: sales_quotation_edit | sales_quotation_view module: oe.pl params: action: search @@ -285,7 +285,7 @@ name: Sales Orders icon: report_sales_orders order: 300 - access: sales_order_edit + access: sales_order_edit | sales_order_view module: oe.pl params: action: search @@ -446,7 +446,7 @@ name: RFQs icon: rfq_report order: 100 - access: request_quotation_edit + access: request_quotation_edit | request_quotation_view module: oe.pl params: action: search @@ -456,7 +456,7 @@ name: Purchase Orders icon: purchase_order_report order: 200 - access: purchase_order_edit + access: purchase_order_edit | purchase_order_view module: oe.pl params: action: search