From: Moritz Bunkus Date: Thu, 17 Dec 2020 10:37:25 +0000 (+0100) Subject: Kunden-/Lieferantenstammdaten: Berechtigungsmodell gefixt X-Git-Tag: kivitendo-mebil_0.1-0~9^2~541^2~2 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=3bb4190a48d58f5a598b659c27b9a5bf233aa54b;p=kivitendo-erp.git Kunden-/Lieferantenstammdaten: Berechtigungsmodell gefixt Neues Modell sieht wie folgt aus: 1. Alle Personen haben Leserechte auf alle Kunden- & Lieferantenstammdaten. Das betrifft nicht nur die Stammdatenmasken, sondern auch die AJAJ-Autovervollständigung (Kunden-/ Lieferanten-Picker) oder die Detail-Popup-Fenster in Einkaufs-/ Verkaufsbelegmasken. 2. Personen mit »edit«-Recht aber ohne »edit all«-Recht dürfen nur die eigenen Kundenstammdaten verändern (speichern/löschen), wobei »eigen« definiert ist als »aktuelle Person ist Verkäufer*in des Kunden«. Neue Kunden dürfen angelegt werden. Bei Lieferanten dürfen hingegen alle Stammdaten bearbeitet werden. 3. Personen mit »edit all«-Recht haben Vollzugriff auf alle Kunden- & Lieferantenstammdaten. --- diff --git a/SL/Auth.pm b/SL/Auth.pm index 82513b98d..33007a417 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -1229,6 +1229,15 @@ sub check_right { return $granted; } +sub deny_access { + my ($self) = @_; + + $::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; + + delete $::form->{title}; + $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); +} + sub assert { my ($self, $right, $dont_abort) = @_; @@ -1237,10 +1246,7 @@ sub assert { } if (!$dont_abort) { - $::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; - - delete $::form->{title}; - $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); + $self->deny_access; } return 0; diff --git a/SL/CT.pm b/SL/CT.pm index d8635b7af..031ef112d 100644 --- a/SL/CT.pm +++ b/SL/CT.pm @@ -244,13 +244,6 @@ sub search { push @values, $form->{create_zugferd_invoices}; } - # Nur Kunden finden, bei denen ich selber der Verkäufer bin - # Gilt nicht für Lieferanten - if ($cv eq 'customer' && !$main::auth->assert('customer_vendor_all_edit', 1)) { - $where .= qq| AND ct.salesman_id = (select em.id from employee em where em.login = ?)|; - push(@values, $::myconfig{login}); - } - my ($cvar_where, @cvar_values) = CVar->build_filter_query('module' => 'CT', 'trans_id_field' => 'ct.id', 'filter' => $form); diff --git a/SL/Controller/Customer.pm b/SL/Controller/Customer.pm index d6ba13dc6..34c3fe72f 100644 --- a/SL/Controller/Customer.pm +++ b/SL/Controller/Customer.pm @@ -6,9 +6,6 @@ use parent qw(SL::Controller::Base); use SL::DB::Customer; use SL::JSON; -# safety -__PACKAGE__->run_before(sub { $::auth->assert('customer_vendor_edit') }); - sub action_get_hourly_rate { my ($self, %params) = @_; diff --git a/SL/Controller/CustomerVendor.pm b/SL/Controller/CustomerVendor.pm index e8f1c5a4a..0184cf203 100644 --- a/SL/Controller/CustomerVendor.pm +++ b/SL/Controller/CustomerVendor.pm @@ -41,16 +41,11 @@ use SL::DB::Order; use Data::Dumper; use Rose::Object::MakeMethods::Generic ( + scalar => [ qw(user_has_edit_rights) ], 'scalar --get_set_init' => [ qw(customer_models vendor_models zugferd_settings) ], ); # safety -__PACKAGE__->run_before( - sub { - $::auth->assert('customer_vendor_edit'); - }, - except => [ qw(ajaj_autocomplete) ], -); __PACKAGE__->run_before( '_instantiate_args', only => [ @@ -81,26 +76,7 @@ __PACKAGE__->run_before( ); # make sure this comes after _load_customer_vendor -__PACKAGE__->run_before( - '_check_customer_vendor_all_edit', - only => [ - 'edit', - 'show', - 'update', - 'delete', - 'save', - 'save_and_ap_transaction', - 'save_and_ar_transaction', - 'save_and_close', - 'save_and_invoice', - 'save_and_order', - 'save_and_quotation', - 'save_and_rfq', - 'delete', - 'delete_contact', - 'delete_shipto', - ] -); +__PACKAGE__->run_before('_check_auth'); __PACKAGE__->run_before( '_create_customer_vendor', @@ -656,7 +632,6 @@ sub action_ajaj_autocomplete { if (1 == scalar @{ $exact_matches = $manager->get_all( query => [ obsolete => 0, - (salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1), or => [ name => { ilike => $::form->{filter}{'all:substr:multi::ilike'} }, $number => { ilike => $::form->{filter}{'all:substr:multi::ilike'} }, @@ -912,15 +887,31 @@ sub _load_customer_vendor { } } -sub _check_customer_vendor_all_edit { - my ($self) = @_; +sub _may_access_action { + my ($self, $action) = @_; - unless ($::auth->assert('customer_vendor_all_edit', 1)) { - die($::locale->text("You don't have the rights to edit this customer.") . "\n") - if $self->{cv}->is_customer and - SL::DB::Manager::Employee->current->id != $self->{cv}->salesman_id; - }; -}; + my $is_new = !$self->{cv} || !$self->{cv}->id; + my $is_own_customer = !$is_new + && $self->{cv}->is_customer + && (SL::DB::Manager::Employee->current->id == $self->{cv}->salesman_id); + my $has_edit_rights = $::auth->assert('customer_vendor_all_edit', 1); + $has_edit_rights ||= $::auth->assert('customer_vendor_edit', 1) && ($is_new || $is_own_customer); + my $needs_edit_rights = $action =~ m{^(?:add|save|delete|update)}; + + $self->user_has_edit_rights($has_edit_rights); + + return 1 if $has_edit_rights; + return 0 if $needs_edit_rights; + return 1; +} + +sub _check_auth { + my ($self, $action) = @_; + + if (!$self->_may_access_action($action)) { + $::auth->deny_access; + } +} sub _create_customer_vendor { my ($self) = @_; @@ -1075,6 +1066,10 @@ sub _pre_render { sub _setup_form_action_bar { my ($self) = @_; + my $no_rights = $self->user_has_edit_rights ? undef + : $self->{cv}->is_customer ? t8("You don't have the rights to edit this customer.") + : t8("You don't have the rights to edit this vendor."); + for my $bar ($::request->layout->get('actionbar')) { $bar->add( combobox => [ @@ -1083,11 +1078,13 @@ sub _setup_form_action_bar { submit => [ '#form', { action => "CustomerVendor/save" } ], checks => [ 'check_taxzone_and_ustid' ], accesskey => 'enter', + disabled => $no_rights, ], action => [ t8('Save and Close'), submit => [ '#form', { action => "CustomerVendor/save_and_close" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ], ], # end of combobox "Save" @@ -1097,31 +1094,37 @@ sub _setup_form_action_bar { t8('Save and AP Transaction'), submit => [ '#form', { action => "CustomerVendor/save_and_ap_transaction" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ]) x !!$self->is_vendor, (action => [ t8('Save and AR Transaction'), submit => [ '#form', { action => "CustomerVendor/save_and_ar_transaction" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ]) x !$self->is_vendor, action => [ t8('Save and Invoice'), submit => [ '#form', { action => "CustomerVendor/save_and_invoice" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ], action => [ t8('Save and Order'), submit => [ '#form', { action => "CustomerVendor/save_and_order" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ], (action => [ t8('Save and RFQ'), submit => [ '#form', { action => "CustomerVendor/save_and_rfq" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ]) x !!$self->is_vendor, (action => [ t8('Save and Quotation'), submit => [ '#form', { action => "CustomerVendor/save_and_quotation" } ], checks => [ 'check_taxzone_and_ustid' ], + disabled => $no_rights, ]) x !$self->is_vendor, ], # end of combobox "Workflow" @@ -1131,7 +1134,7 @@ sub _setup_form_action_bar { confirm => t8('Do you really want to delete this object?'), disabled => !$self->{cv}->id ? t8('This object has not been saved yet.') : !$self->is_orphaned ? t8('This object has already been used.') - : undef, + : $no_rights, ], 'separator', @@ -1214,9 +1217,6 @@ sub init_customer_models { }, customernumber => t8('Customer Number'), }, - query => [ - ( salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1), - ], ); } diff --git a/SL/Controller/TopQuickSearch/Contact.pm b/SL/Controller/TopQuickSearch/Contact.pm index b3e0d9ed4..e0e915d91 100644 --- a/SL/Controller/TopQuickSearch/Contact.pm +++ b/SL/Controller/TopQuickSearch/Contact.pm @@ -8,7 +8,7 @@ use SL::DB::Vendor; use SL::DBUtils qw(selectfirst_array_query like); use SL::Locale::String qw(t8); -sub auth { 'customer_vendor_edit' } +sub auth { undef } sub name { 'contact' } diff --git a/SL/Controller/TopQuickSearch/Customer.pm b/SL/Controller/TopQuickSearch/Customer.pm index 8b7e8ae88..b7c5b391b 100644 --- a/SL/Controller/TopQuickSearch/Customer.pm +++ b/SL/Controller/TopQuickSearch/Customer.pm @@ -6,7 +6,7 @@ use SL::DB::Customer; use SL::Locale::String qw(t8); -sub auth { 'customer_vendor_edit' } +sub auth { undef } sub name { 'customer' } diff --git a/SL/Controller/TopQuickSearch/Vendor.pm b/SL/Controller/TopQuickSearch/Vendor.pm index 124530af0..34e7323d6 100644 --- a/SL/Controller/TopQuickSearch/Vendor.pm +++ b/SL/Controller/TopQuickSearch/Vendor.pm @@ -6,7 +6,7 @@ use SL::DB::Vendor; use SL::Locale::String qw(t8); -sub auth { 'customer_vendor_edit' } +sub auth { undef } sub name { 'vendor' } diff --git a/bin/mozilla/ct.pl b/bin/mozilla/ct.pl index 87eb0d8f6..8d111532b 100644 --- a/bin/mozilla/ct.pl +++ b/bin/mozilla/ct.pl @@ -76,8 +76,6 @@ sub _zugferd_settings { sub search { $main::lxdebug->enter_sub(); - $main::auth->assert('customer_vendor_edit'); - my $form = $main::form; my $locale = $main::locale; @@ -107,7 +105,6 @@ sub search { sub search_contact { $::lxdebug->enter_sub; - $::auth->assert('customer_vendor_edit'); $::form->{CUSTOM_VARIABLES} = CVar->get_configs('module' => 'Contacts'); ($::form->{CUSTOM_VARIABLES_FILTER_CODE}, @@ -128,8 +125,6 @@ sub search_contact { sub list_names { $main::lxdebug->enter_sub(); - $main::auth->assert('customer_vendor_edit'); - my $form = $main::form; my %myconfig = %main::myconfig; my $locale = $main::locale; @@ -339,7 +334,6 @@ sub list_names { sub list_contacts { $::lxdebug->enter_sub; - $::auth->assert('customer_vendor_edit'); $::form->{sortdir} = 1 unless defined $::form->{sortdir}; diff --git a/locale/de/all b/locale/de/all index b65e8a5af..df16a8f58 100755 --- a/locale/de/all +++ b/locale/de/all @@ -4058,6 +4058,7 @@ $self->{texts} = { 'You do not have permission to access this entry.' => 'Sie verfügen nicht über die Berechtigung, auf diesen Eintrag zuzugreifen.', 'You do not have the permissions to access this function.' => 'Sie verfügen nicht über die notwendigen Rechte, um auf diese Funktion zuzugreifen.', 'You don\'t have the rights to edit this customer.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Kunden zu bearbeiten.', + 'You don\'t have the rights to edit this vendor.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Lieferanten zu bearbeiten.', 'You have changed the currency or exchange rate. Please check prices.' => 'Die Währung oder der Wechselkurs hat sich geändert. Bitte überprüfen Sie die Preise.', 'You have entered or selected the following shipping address for this customer:' => 'Sie haben die folgende Lieferadresse eingegeben oder ausgewählt:', 'You have never worked with currencies.' => 'Sie haben noch nie mit Währungen gearbeitet.', diff --git a/menus/user/00-erp.yaml b/menus/user/00-erp.yaml index aa038df72..118d8fc11 100644 --- a/menus/user/00-erp.yaml +++ b/menus/user/00-erp.yaml @@ -34,7 +34,7 @@ name: Add Customer icon: customer_add order: 100 - access: customer_vendor_edit + access: customer_vendor_edit|customer_vendor_all_edit params: action: CustomerVendor/add db: customer @@ -43,7 +43,7 @@ name: Add Vendor icon: vendor_add order: 200 - access: customer_vendor_edit + access: customer_vendor_edit|customer_vendor_all_edit params: action: CustomerVendor/add db: vendor @@ -121,7 +121,6 @@ name: Customers icon: customer_report order: 100 - access: customer_vendor_edit params: action: CustomerVendor/search db: customer @@ -130,7 +129,6 @@ name: Vendors icon: vendor_report order: 200 - access: customer_vendor_edit params: action: CustomerVendor/search db: vendor @@ -138,7 +136,6 @@ id: master_data_reports_contacts name: Contacts order: 300 - access: customer_vendor_edit params: action: CustomerVendor/search_contact db: customer