From: Jan Büren Date: Wed, 9 Mar 2022 08:12:50 +0000 (+0100) Subject: Merge pull request #41 from kivitendo/f-rights-to-view X-Git-Tag: kivitendo-mebil_0.1-0~10^2~2^2~147 X-Git-Url: http://wagnertech.de/git?a=commitdiff_plain;h=c7172f34ff94490977366ca8cad6c057ddc3da91;hp=f85f858c4f464251634dab5908d71a80f6703fb9;p=kivitendo-erp.git Merge pull request #41 from kivitendo/f-rights-to-view F rights to view --- diff --git a/SL/AP.pm b/SL/AP.pm index 8a3394baf..8ca5634cf 100644 --- a/SL/AP.pm +++ b/SL/AP.pm @@ -564,16 +564,16 @@ sub ap_transactions { # Permissions: # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say. # - Exclude AP transactions if no permissions for them exist. - # - Limit to own invoices unless may edit all invoices. - # - If may edit all, allow filtering by employee. + # - Limit to own invoices unless may edit all invoices or view invoices is allowed. + # - If may edit all or view invoices is allowed, allow filtering by employee. my (@permission_where, @permission_values); - if ($::auth->assert('vendor_invoice_edit', 1)) { + if ($::auth->assert('vendor_invoice_edit', 1) || $::auth->assert('purchase_invoice_view', 1)) { if (!$::auth->assert('show_ap_transactions', 1)) { push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices } - if (!$::auth->assert('purchase_all_edit', 1)) { + if (!$::auth->assert('purchase_all_edit', 1) && !$::auth->assert('purchase_invoice_view', 1)) { # only show own invoices push @permission_where, "a.employee_id = ?"; push @permission_values, SL::DB::Manager::Employee->current->id; @@ -586,7 +586,7 @@ sub ap_transactions { } } - if (@permission_where || !$::auth->assert('vendor_invoice_edit', 1)) { + if (@permission_where || (!$::auth->assert('vendor_invoice_edit', 1) && !$::auth->assert('purchase_invoice_view', 1))) { my $permission_where_str = @permission_where ? "OR (" . join(" AND ", map { "($_)" } @permission_where) . ")" : ""; $where .= qq| AND ( (a.globalproject_id IN ( diff --git a/SL/AR.pm b/SL/AR.pm index 77c62d39c..63ea45c81 100644 --- a/SL/AR.pm +++ b/SL/AR.pm @@ -521,16 +521,16 @@ sub ar_transactions { # Permissions: # - Always return invoices & AR transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say. # - Exclude AR transactions if no permissions for them exist. - # - Limit to own invoices unless may edit all invoices. - # - If may edit all, allow filtering by employee/salesman. + # - Limit to own invoices unless may edit all invoices or view invoices is allowed. + # - If may edit all or view invoices is allowed, allow filtering by employee/salesman. my (@permission_where, @permission_values); - if ($::auth->assert('invoice_edit', 1)) { + if ($::auth->assert('invoice_edit', 1) || $::auth->assert('sales_invoice_view', 1)) { if (!$::auth->assert('show_ar_transactions', 1) ) { push @permission_where, "NOT invoice = 'f'"; # remove ar transactions from Sales -> Reports -> Invoices } - if (!$::auth->assert('sales_all_edit', 1)) { + if (!$::auth->assert('sales_all_edit', 1) && !$::auth->assert('sales_invoice_view', 1)) { # only show own invoices push @permission_where, "a.employee_id = ?"; push @permission_values, SL::DB::Manager::Employee->current->id; @@ -547,7 +547,7 @@ sub ar_transactions { } } - if (@permission_where || !$::auth->assert('invoice_edit', 1)) { + if (@permission_where || (!$::auth->assert('invoice_edit', 1) && !$::auth->assert('sales_invoice_view', 1))) { my $permission_where_str = @permission_where ? "OR (" . join(" AND ", map { "($_)" } @permission_where) . ")" : ""; $where .= qq| AND ( (a.globalproject_id IN ( diff --git a/SL/Controller/DeliveryOrder.pm b/SL/Controller/DeliveryOrder.pm index a4b346214..db3184435 100644 --- a/SL/Controller/DeliveryOrder.pm +++ b/SL/Controller/DeliveryOrder.pm @@ -58,6 +58,9 @@ use Rose::Object::MakeMethods::Generic __PACKAGE__->run_before('check_auth', except => [ qw(update_stock_information) ]); +__PACKAGE__->run_before('check_auth_for_edit', + except => [ qw(update_stock_information edit show_customer_vendor_details_dialog price_popup stock_in_out_dialog load_second_rows) ]); + __PACKAGE__->run_before('get_unalterable_data', only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_ap_transaction print send_email) ]); @@ -1226,7 +1229,13 @@ sub init_part_picker_classification_ids { sub check_auth { my ($self) = @_; - $::auth->assert($self->type_data->access || 'DOES_NOT_EXIST'); + $::auth->assert($self->type_data->access('view') || 'DOES_NOT_EXIST'); +} + +sub check_auth_for_edit { + my ($self) = @_; + + $::auth->assert($self->type_data->access('edit') || 'DOES_NOT_EXIST'); } # build the selection box for contacts @@ -1785,22 +1794,25 @@ sub setup_edit_action_bar { my ($self, %params) = @_; my $deletion_allowed = $self->type_data->show_menu("delete"); + my $may_edit_create = $::auth->assert($self->type_data->access('edit') || 'DOES_NOT_EXIST', 1); for my $bar ($::request->layout->get('actionbar')) { $bar->add( combobox => [ action => [ t8('Save'), - call => [ 'kivi.DeliveryOrder.save', 'save', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], + call => [ 'kivi.DeliveryOrder.save', 'save', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save as new'), - call => [ 'kivi.DeliveryOrder.save', 'save_as_new', $::instance_conf->get_order_warn_duplicate_parts ], - disabled => $self->type eq 'supplier_delivery_order' ? t8('Need a workflow for Supplier Delivery Order') - : !$self->order->id ? t8('This object has not been saved yet.') - : undef, + call => [ 'kivi.DeliveryOrder.save', 'save_as_new', $::instance_conf->get_order_warn_duplicate_parts ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $self->type eq 'supplier_delivery_order' ? t8('Need a workflow for Supplier Delivery Order') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, ], ], # end of combobox "Save" @@ -1812,38 +1824,45 @@ sub setup_edit_action_bar { t8('Save and Quotation'), submit => [ '#order_form', { action => "DeliveryOrder/sales_quotation" } ], only_if => $self->type_data->show_menu("save_and_quotation"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and RFQ'), submit => [ '#order_form', { action => "DeliveryOrder/request_for_quotation" } ], only_if => $self->type_data->show_menu("save_and_rfq"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Sales Order'), submit => [ '#order_form', { action => "DeliveryOrder/sales_order" } ], only_if => $self->type_data->show_menu("save_and_sales_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Purchase Order'), - call => [ 'kivi.DeliveryOrder.purchase_order_check_for_direct_delivery' ], + call => [ 'kivi.DeliveryOrder.purchase_order_check_for_direct_delivery' ], only_if => $self->type_data->show_menu("save_and_purchase_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Delivery Order'), - call => [ 'kivi.DeliveryOrder.save', 'save_and_delivery_order', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], + call => [ 'kivi.DeliveryOrder.save', 'save_and_delivery_order', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], only_if => $self->type_data->show_menu("save_and_delivery_order"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Invoice'), - call => [ 'kivi.DeliveryOrder.save', 'save_and_invoice', $::instance_conf->get_order_warn_duplicate_parts ], + call => [ 'kivi.DeliveryOrder.save', 'save_and_invoice', $::instance_conf->get_order_warn_duplicate_parts ], only_if => $self->type_data->show_menu("save_and_invoice"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and AP Transaction'), - call => [ 'kivi.DeliveryOrder.save', 'save_and_ap_transaction', $::instance_conf->get_order_warn_duplicate_parts ], + call => [ 'kivi.DeliveryOrder.save', 'save_and_ap_transaction', $::instance_conf->get_order_warn_duplicate_parts ], only_if => $self->type_data->show_menu("save_and_ap_transaction"), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], ], # end of combobox "Workflow" @@ -1854,28 +1873,34 @@ sub setup_edit_action_bar { ], action => [ t8('Save and preview PDF'), - call => [ 'kivi.DeliveryOrder.save', 'preview_pdf', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], + call => [ 'kivi.DeliveryOrder.save', 'preview_pdf', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and print'), - call => [ 'kivi.DeliveryOrder.show_print_options', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], + call => [ 'kivi.DeliveryOrder.show_print_options', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and E-mail'), - id => 'save_and_email_action', - call => [ 'kivi.DeliveryOrder.save', 'save_and_show_email_dialog', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + id => 'save_and_email_action', + call => [ 'kivi.DeliveryOrder.save', 'save_and_show_email_dialog', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, ], action => [ t8('Download attachments of all parts'), call => [ 'kivi.File.downloadOrderitemsFiles', $::form->{type}, $::form->{id} ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, only_if => $::instance_conf->get_doc_storage, ], ], # end of combobox "Export" @@ -1885,28 +1910,34 @@ sub setup_edit_action_bar { id => 'delete_action', call => [ 'kivi.DeliveryOrder.delete_order' ], confirm => $::locale->text('Do you really want to delete this object?'), - disabled => !$self->order->id ? t8('This object has not been saved yet.') : - $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : $self->order->delivered ? t8('The parts for this order have already been transferred') + : undef, only_if => $self->type_data->show_menu("delete"), ], combobox => [ action => [ t8('Transfer out'), - id => 'transfer_out_action', - call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : - $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, - only_if => $self->type_data->properties('transfer') eq 'out', + id => 'transfer_out_action', + call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : $self->order->delivered ? t8('The parts for this order have already been transferred') + : undef, + only_if => $self->type_data->properties('transfer') eq 'out', confirm => t8('Do you really want to transfer the stock and set this order to delivered?'), ], action => [ t8('Transfer in'), - id => 'transfer_in_action', - call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : - $self->order->delivered ? t8('The parts for this order have already been transferred') : undef, - only_if => $self->type_data->properties('transfer') eq 'in', + id => 'transfer_in_action', + call => [ 'kivi.DeliveryOrder.save', 'transfer_stock' ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : $self->order->delivered ? t8('The parts for this order have already been transferred') + : undef, + only_if => $self->type_data->properties('transfer') eq 'in', confirm => t8('Do you really want to transfer the stock and set this order to delivered?'), ], ], diff --git a/SL/Controller/DeliveryOrder/TypeData.pm b/SL/Controller/DeliveryOrder/TypeData.pm index 4aa29251d..0650e08b3 100644 --- a/SL/Controller/DeliveryOrder/TypeData.pm +++ b/SL/Controller/DeliveryOrder/TypeData.pm @@ -51,7 +51,8 @@ sub properties { } sub access { - get($_[0]->c->type, "right"); + my ($self, $string) = @_; + get3($_[0]->c->type, "rights", $string); } sub is_quotation { diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm index b14d76438..b7d38cd78 100644 --- a/SL/Controller/Order.pm +++ b/SL/Controller/Order.pm @@ -56,6 +56,9 @@ use Rose::Object::MakeMethods::Generic # safety __PACKAGE__->run_before('check_auth'); +__PACKAGE__->run_before('check_auth_for_edit', + except => [ qw(edit show_customer_vendor_details_dialog price_popup load_second_rows) ]); + __PACKAGE__->run_before('recalc', only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_invoice_for_advance_payment save_and_final_invoice save_and_ap_transaction print send_email) ]); @@ -1372,6 +1375,17 @@ sub init_part_picker_classification_ids { sub check_auth { my ($self) = @_; + my $right_for = { map { $_ => $_.'_edit' . ' | ' . $_.'_view' } @{$self->valid_types} }; + + my $right = $right_for->{ $self->type }; + $right ||= 'DOES_NOT_EXIST'; + + $::auth->assert($right); +} + +sub check_auth_for_edit { + my ($self) = @_; + my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} }; my $right = $right_for->{ $self->type }; @@ -2020,6 +2034,11 @@ sub setup_edit_action_bar { $has_final_invoice = any {'SL::DB::Invoice' eq ref $_ && "final_invoice" eq $_->type} @$lr; } + my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} }; + my $right = $right_for->{ $self->type }; + $right ||= 'DOES_NOT_EXIST'; + my $may_edit_create = $::auth->assert($right, 'may fail'); + for my $bar ($::request->layout->get('actionbar')) { $bar->add( combobox => [ @@ -2031,6 +2050,7 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', ['kivi.validate_form','#order_form'], @req_trans_cost_art, @req_cusordnumber, ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save as new'), @@ -2038,7 +2058,9 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, ], ], # end of combobox "Save" @@ -2051,23 +2073,27 @@ sub setup_edit_action_bar { submit => [ '#order_form', { action => "Order/sales_quotation" } ], checks => [ @req_trans_cost_art, @req_cusordnumber ], only_if => (any { $self->type eq $_ } (sales_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and RFQ'), submit => [ '#order_form', { action => "Order/request_for_quotation" } ], only_if => (any { $self->type eq $_ } (purchase_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Sales Order'), submit => [ '#order_form', { action => "Order/sales_order" } ], checks => [ @req_trans_cost_art ], only_if => (any { $self->type eq $_ } (sales_quotation_type(), purchase_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Purchase Order'), call => [ 'kivi.Order.purchase_order_check_for_direct_delivery' ], checks => [ @req_trans_cost_art, @req_cusordnumber ], only_if => (any { $self->type eq $_ } (sales_order_type(), request_quotation_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Delivery Order'), @@ -2077,7 +2103,8 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], - only_if => (any { $self->type eq $_ } (sales_order_type(), purchase_order_type())) + only_if => (any { $self->type eq $_ } (sales_order_type(), purchase_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Supplier Delivery Order'), @@ -2087,7 +2114,8 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], - only_if => (any { $self->type eq $_ } (purchase_order_type())) + only_if => (any { $self->type eq $_ } (purchase_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and Invoice'), @@ -2095,6 +2123,7 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ ($has_invoice_for_advance_payment ? t8('Save and Further Invoice for Advance Payment') : t8('Save and Invoice for Advance Payment')), @@ -2102,8 +2131,9 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], - disabled => $has_final_invoice ? t8('This order has already a final invoice.') - : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $has_final_invoice ? t8('This order has already a final invoice.') + : undef, only_if => (any { $self->type eq $_ } (sales_order_type())), ], action => [ @@ -2112,14 +2142,16 @@ sub setup_edit_action_bar { checks => [ 'kivi.Order.check_save_active_periodic_invoices', @req_trans_cost_art, @req_cusordnumber, ], - disabled => $has_final_invoice ? t8('This order has already a final invoice.') - : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $has_final_invoice ? t8('This order has already a final invoice.') + : undef, only_if => (any { $self->type eq $_ } (sales_order_type())) && $has_invoice_for_advance_payment, ], action => [ t8('Save and AP Transaction'), call => [ 'kivi.Order.save', 'save_and_ap_transaction', $::instance_conf->get_order_warn_duplicate_parts ], - only_if => (any { $self->type eq $_ } (purchase_order_type())) + only_if => (any { $self->type eq $_ } (purchase_order_type())), + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], ], # end of combobox "Workflow" @@ -2130,25 +2162,29 @@ sub setup_edit_action_bar { ], action => [ t8('Save and preview PDF'), - call => [ 'kivi.Order.save', 'preview_pdf', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], - checks => [ @req_trans_cost_art, @req_cusordnumber ], + call => [ 'kivi.Order.save', 'preview_pdf', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + checks => [ @req_trans_cost_art, @req_cusordnumber ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and print'), - call => [ 'kivi.Order.show_print_options', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], - checks => [ @req_trans_cost_art, @req_cusordnumber ], + call => [ 'kivi.Order.show_print_options', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + checks => [ @req_trans_cost_art, @req_cusordnumber ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('Save and E-mail'), - id => 'save_and_email_action', - call => [ 'kivi.Order.save', 'save_and_show_email_dialog', $::instance_conf->get_order_warn_duplicate_parts, - $::instance_conf->get_order_warn_no_deliverydate, - ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + id => 'save_and_email_action', + call => [ 'kivi.Order.save', 'save_and_show_email_dialog', $::instance_conf->get_order_warn_duplicate_parts, + $::instance_conf->get_order_warn_no_deliverydate, + ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, ], action => [ t8('Download attachments of all parts'), @@ -2162,26 +2198,12 @@ sub setup_edit_action_bar { t8('Delete'), call => [ 'kivi.Order.delete_order' ], confirm => $::locale->text('Do you really want to delete this object?'), - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$self->order->id ? t8('This object has not been saved yet.') + : undef, only_if => $deletion_allowed, ], - combobox => [ - action => [ - t8('more') - ], - action => [ - t8('History'), - call => [ 'set_history_window', $self->order->id, 'id' ], - disabled => !$self->order->id ? t8('This record has not been saved yet.') : undef, - ], - action => [ - t8('Follow-Up'), - call => [ 'kivi.Order.follow_up_window' ], - disabled => !$self->order->id ? t8('This object has not been saved yet.') : undef, - only_if => $::auth->assert('productivity', 1), - ], - ], # end of combobox "more" ); } } diff --git a/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm b/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm index 0c26dd101..e5613609e 100644 --- a/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm +++ b/SL/Controller/TopQuickSearch/PurchaseDeliveryOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::DeliveryOrder); use SL::Locale::String qw(t8); -sub auth { 'purchase_delivery_order_edit' } +sub auth { 'purchase_delivery_order_edit | purchase_delivery_order_edit' } sub name { 'purchase_delivery_order' } diff --git a/SL/Controller/TopQuickSearch/PurchaseOrder.pm b/SL/Controller/TopQuickSearch/PurchaseOrder.pm index 4013c8a9e..f64fb8366 100644 --- a/SL/Controller/TopQuickSearch/PurchaseOrder.pm +++ b/SL/Controller/TopQuickSearch/PurchaseOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'purchase_order_edit' } +sub auth { 'purchase_order_edit | purchase_order_view' } sub name { 'purchase_order' } diff --git a/SL/Controller/TopQuickSearch/RequestForQuotation.pm b/SL/Controller/TopQuickSearch/RequestForQuotation.pm index 3b2adefd3..d9571008c 100644 --- a/SL/Controller/TopQuickSearch/RequestForQuotation.pm +++ b/SL/Controller/TopQuickSearch/RequestForQuotation.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'request_quotation_edit' } +sub auth { 'request_quotation_edit | request_quotation_view' } sub name { 'request_quotation' } diff --git a/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm b/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm index 4895b882d..073a9c29e 100644 --- a/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm +++ b/SL/Controller/TopQuickSearch/SalesDeliveryOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::DeliveryOrder); use SL::Locale::String qw(t8); -sub auth { 'sales_delivery_order_edit' } +sub auth { 'sales_delivery_order_edit | sales_delivery_order_view' } sub name { 'sales_delivery_order' } diff --git a/SL/Controller/TopQuickSearch/SalesOrder.pm b/SL/Controller/TopQuickSearch/SalesOrder.pm index 1f5296ea2..8f91e6e08 100644 --- a/SL/Controller/TopQuickSearch/SalesOrder.pm +++ b/SL/Controller/TopQuickSearch/SalesOrder.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'sales_order_edit' } +sub auth { 'sales_order_edit | sales_order_view' } sub name { 'sales_order' } diff --git a/SL/Controller/TopQuickSearch/SalesQuotation.pm b/SL/Controller/TopQuickSearch/SalesQuotation.pm index 28ec9fd17..f7a6b777a 100644 --- a/SL/Controller/TopQuickSearch/SalesQuotation.pm +++ b/SL/Controller/TopQuickSearch/SalesQuotation.pm @@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord); use SL::Locale::String qw(t8); -sub auth { 'sales_quotation_edit' } +sub auth { 'sales_quotation_edit | sales_quotation_view' } sub name { 'sales_quotation' } diff --git a/SL/DB/DeliveryOrder/TypeData.pm b/SL/DB/DeliveryOrder/TypeData.pm index 141085acb..8b523fb5a 100644 --- a/SL/DB/DeliveryOrder/TypeData.pm +++ b/SL/DB/DeliveryOrder/TypeData.pm @@ -47,7 +47,10 @@ my %type_data = ( transnumber => 'sdonumber', }, part_classification_query => [ "used_for_sale" => 1 ], - right => "sales_delivery_order_edit", + rights => { + edit => "sales_delivery_order_edit", + view => "sales_delivery_order_edit | sales_delivery_order_view", + }, }, PURCHASE_DELIVERY_ORDER_TYPE() => { text => { @@ -76,7 +79,10 @@ my %type_data = ( transnumber => 'pdonumber', }, part_classification_query => [ "used_for_purchase" => 1 ], - right => "purchase_delivery_order_edit", + rights => { + edit => "purchase_delivery_order_edit", + view => "purchase_delivery_order_edit | purchase_delivery_order_view", + }, }, SUPPLIER_DELIVERY_ORDER_TYPE() => { text => { @@ -105,7 +111,10 @@ my %type_data = ( transnumber => 'sudonumber', }, part_classification_query => [ "used_for_purchase" => 1 ], - right => "purchase_delivery_order_edit", + rights => { + edit => "purchase_delivery_order_edit", + view => "purchase_delivery_order_edit | purchase_delivery_order_view", + }, }, RMA_DELIVERY_ORDER_TYPE() => { text => { @@ -134,7 +143,10 @@ my %type_data = ( transnumber => 'rdonumber', }, part_classification_query => [ "used_for_sale" => 1 ], - right => "sales_delivery_order_edit", + rights => { + edit => "sales_delivery_order_edit", + view => "sales_delivery_order_edit | sales_delivery_order_view", + }, }, ); diff --git a/SL/DO.pm b/SL/DO.pm index ac3f34bd9..ebc605159 100644 --- a/SL/DO.pm +++ b/SL/DO.pm @@ -134,7 +134,8 @@ sub transactions { push @where, "dord.$item = ?"; push @values, conv_i($form->{$item}); } - if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) { + if ( !( ($vc eq 'customer' && ($main::auth->assert('sales_all_edit', 1) || $main::auth->assert('sales_delivery_order_view', 1))) + || ($vc eq 'vendor' && ($main::auth->assert('purchase_all_edit', 1) || $main::auth->assert('purchase_delivery_order_view', 1))) ) ) { push @where, qq|dord.employee_id = (select id from employee where login= ?)|; push @values, $::myconfig{login}; } diff --git a/SL/OE.pm b/SL/OE.pm index 332d6345a..b273d814a 100644 --- a/SL/OE.pm +++ b/SL/OE.pm @@ -192,7 +192,8 @@ SQL push(@values, (like($form->{"cp_name"}))x2); } - if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) { + if ( !( ($vc eq 'customer' && ($main::auth->assert('sales_all_edit', 1) || $main::auth->assert('sales_order_view', 1))) + || ($vc eq 'vendor' && ($main::auth->assert('purchase_all_edit', 1) || $main::auth->assert('purchase_order_view', 1))) ) ) { $query .= " AND o.employee_id = (select id from employee where login= ?)"; push @values, $::myconfig{login}; } diff --git a/bin/mozilla/do.pl b/bin/mozilla/do.pl index 7a51a6a48..581ec5b37 100644 --- a/bin/mozilla/do.pl +++ b/bin/mozilla/do.pl @@ -57,10 +57,17 @@ use strict; # end of main +sub check_do_access_for_edit { + validate_type($::form->{type}); + + my $right = SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "edit"); + $main::auth->assert($right); +} + sub check_do_access { validate_type($::form->{type}); - my $right = SL::DB::DeliveryOrder::TypeData::get($::form->{type}, "right"); + my $right = SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "view"); $main::auth->assert($right); } @@ -90,7 +97,7 @@ sub set_headings { sub add { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); if (($::form->{type} =~ /purchase/) && !$::instance_conf->get_allow_new_purchase_invoice) { $::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); @@ -254,11 +261,15 @@ sub setup_do_action_bar { if (ref $undo_date eq 'DateTime' && ref $insertdate eq 'DateTime') { $undo_transfer = $insertdate > $undo_date; } + + my $may_edit_create = $::auth->assert(SL::DB::DeliveryOrder::TypeData::get3($::form->{type}, "rights", "edit"), 1); + for my $bar ($::request->layout->get('actionbar')) { $bar->add( action => [ t8('Update'), submit => [ '#form', { action => "update" } ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, id => 'update_button', accesskey => 'enter', ], @@ -268,20 +279,24 @@ sub setup_do_action_bar { t8('Save'), submit => [ '#form', { action => "save" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, ], action => [ t8('Save as new'), submit => [ '#form', { action => "save_as_new" } ], checks => [ 'kivi.validate_form' ], - disabled => !$::form->{id}, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id}, ], action => [ t8('Mark as closed'), submit => [ '#form', { action => "mark_closed" } ], checks => [ 'kivi.validate_form' ], confirm => t8('This will remove the delivery order from showing as open even if contents are not delivered. Proceed?'), - disabled => !$::form->{id} ? t8('This record has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') : $::form->{closed} ? t8('This record has already been closed.') : undef, ], @@ -291,7 +306,8 @@ sub setup_do_action_bar { t8('Delete'), submit => [ '#form', { action => "delete" } ], confirm => t8('Do you really want to delete this object?'), - disabled => !$::form->{id} ? t8('This record has not been saved yet.') + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') : $::form->{delivered} ? t8('This record has already been delivered.') : ($::form->{vc} eq 'customer' && !$::instance_conf->get_sales_delivery_order_show_delete) ? t8('Deleting this type of record has been disabled in the configuration.') : ($::form->{vc} eq 'vendor' && !$::instance_conf->get_purchase_delivery_order_show_delete) ? t8('Deleting this type of record has been disabled in the configuration.') @@ -303,28 +319,36 @@ sub setup_do_action_bar { t8('Transfer out'), submit => [ '#form', { action => "transfer_out" } ], checks => [ 'kivi.validate_form', @transfer_qty ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => $is_customer, ], action => [ t8('Transfer out via default'), submit => [ '#form', { action => "transfer_out_default" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => $is_customer && $::instance_conf->get_transfer_default, ], action => [ t8('Transfer in'), submit => [ '#form', { action => "transfer_in" } ], checks => [ 'kivi.validate_form', @transfer_qty ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => !$is_customer, ], action => [ t8('Transfer in via default'), submit => [ '#form', { action => "transfer_in_default" } ], checks => [ 'kivi.validate_form' ], - disabled => $::form->{delivered} ? t8('This record has already been delivered.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : $::form->{delivered} ? t8('This record has already been delivered.') + : undef, only_if => !$is_customer && $::instance_conf->get_transfer_default, ], action => [ @@ -332,7 +356,9 @@ sub setup_do_action_bar { submit => [ '#form', { action => "delete_transfers" } ], checks => [ 'kivi.validate_form' ], only_if => $::form->{delivered}, - disabled => !$undo_transfer ? t8('Transfer date exceeds the maximum allowed interval.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$undo_transfer ? t8('Transfer date exceeds the maximum allowed interval.') + : undef, ], ], # end of combobox "Transfer out" @@ -353,14 +379,17 @@ sub setup_do_action_bar { action => [ t8('Export') ], action => [ t8('Print'), - call => [ 'kivi.SalesPurchase.show_print_dialog' ], - checks => [ 'kivi.validate_form' ], + call => [ 'kivi.SalesPurchase.show_print_dialog' ], + checks => [ 'kivi.validate_form' ], + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') : undef, ], action => [ t8('E Mail'), call => [ 'kivi.SalesPurchase.show_email_dialog' ], checks => [ 'kivi.validate_form' ], - disabled => !$::form->{id} ? t8('This record has not been saved yet.') : undef, + disabled => !$may_edit_create ? t8('You do not have the permissions to access this function.') + : !$::form->{id} ? t8('This record has not been saved yet.') + : undef, ], ], # end of combobox "Export" @@ -913,7 +942,7 @@ sub save { my (%params) = @_; - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -995,7 +1024,7 @@ sub save { sub delete { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -1021,7 +1050,7 @@ sub delete { sub delete_transfers { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; my %myconfig = %main::myconfig; @@ -1275,7 +1304,7 @@ sub invoice_multi { sub save_as_new { $main::lxdebug->enter_sub(); - check_do_access(); + check_do_access_for_edit(); my $form = $main::form; @@ -1792,7 +1821,7 @@ sub mark_closed { sub display_form { $::lxdebug->enter_sub; - $::auth->assert('purchase_delivery_order_edit | sales_delivery_order_edit'); + check_do_access(); relink_accounts(); retrieve_partunits(); diff --git a/bin/mozilla/ir.pl b/bin/mozilla/ir.pl index cca6d12f1..1b9a782ad 100644 --- a/bin/mozilla/ir.pl +++ b/bin/mozilla/ir.pl @@ -56,9 +56,10 @@ use strict; # end of main sub _may_view_or_edit_this_invoice { - return 1 if $::auth->assert('ap_transactions', 1); # may edit all invoices - return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit - return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed + return 1 if $::auth->assert('ap_transactions', 1); # may edit all invoices + return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit + return 1 if $::auth->assert('purchase_invoice_view', 1); # viewing is allowed with this right + return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current); } diff --git a/bin/mozilla/is.pl b/bin/mozilla/is.pl index 838498033..57a79af0d 100644 --- a/bin/mozilla/is.pl +++ b/bin/mozilla/is.pl @@ -62,9 +62,10 @@ use strict; # end of main sub _may_view_or_edit_this_invoice { - return 1 if $::auth->assert('invoice_edit', 1); # may edit all invoices - return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit - return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed + return 1 if $::auth->assert('invoice_edit', 1); # may edit all invoices + return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit + return 1 if $::auth->assert('sales_invoice_view', 1); # viewing is allowed with this right + return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current); } diff --git a/bin/mozilla/oe.pl b/bin/mozilla/oe.pl index 96764ebdf..610215b42 100644 --- a/bin/mozilla/oe.pl +++ b/bin/mozilla/oe.pl @@ -84,10 +84,18 @@ my $oe_access_map = { 'sales_quotation' => 'sales_quotation_edit', }; +my $oe_view_access_map = { + 'sales_order' => 'sales_order_edit | sales_order_view', + 'purchase_order' => 'purchase_order_edit | purchase_order_view', + 'request_quotation' => 'request_quotation_edit | request_quotation_view', + 'sales_quotation' => 'sales_quotation_edit | sales_quotation_view', +}; + sub check_oe_access { + my (%params) = @_; my $form = $main::form; - my $right = $oe_access_map->{$form->{type}}; + my $right = ($params{with_view}) ? $oe_view_access_map->{$form->{type}} : $oe_access_map->{$form->{type}}; $right ||= 'DOES_NOT_EXIST'; $main::auth->assert($right); @@ -926,7 +934,7 @@ sub search { my %myconfig = %main::myconfig; my $locale = $main::locale; - check_oe_access(); + check_oe_access(with_view => 1); if ($form->{type} eq 'purchase_order') { $form->{vc} = 'vendor'; @@ -1017,7 +1025,7 @@ sub orders { my $cgi = $::request->{cgi}; my %params = @_; - check_oe_access(); + check_oe_access(with_view => 1); my $ordnumber = ($form->{type} =~ /_order$/) ? "ordnumber" : "quonumber"; diff --git a/locale/de/all b/locale/de/all index e636d1630..bc215181c 100755 --- a/locale/de/all +++ b/locale/de/all @@ -4217,9 +4217,17 @@ $self->{texts} = { 'Version actions' => 'Aktionen für Versionen', 'Version number' => 'Versionsnummer', 'Versions' => 'Versionen', + 'View RFQs' => 'Lieferantenanfragen ansehen', 'View SEPA export' => 'SEPA-Export-Details ansehen', 'View background job execution result' => 'Verlauf der Hintergrund-Job-Ausführungen anzeigen', + 'View purchase delivery orders' => 'Einkaufslieferscheine ansehen', + 'View purchase invoices' => 'Einkaufsrechungen ansehen', + 'View purchase orders' => 'Lieferantenaufträge ansehen', 'View record links from Sales Order' => 'Verknüpfte Belege immer vom Verkaufsauftrag ansehen', + 'View sales delivery orders' => 'Verkaufslieferscheine ansehen', + 'View sales invoices and credit notes' => 'Rechnungen und Gutschriften ansehen', + 'View sales orders' => 'Auftragsbestätigungen ansehen', + 'View sales quotations' => 'Angebote ansehen', 'View sent email' => 'Verschickte E-Mail anzeigen', 'View warehouse content' => 'Lagerbestand ansehen', 'View/edit all employees purchase documents' => 'Bearbeiten/ansehen der Einkaufsdokumente aller Mitarbeiter', diff --git a/locale/en/all b/locale/en/all index d935ef058..b33cba2fd 100644 --- a/locale/en/all +++ b/locale/en/all @@ -4216,9 +4216,17 @@ $self->{texts} = { 'Version actions' => '', 'Version number' => '', 'Versions' => '', + 'View RFQs' => '', 'View SEPA export' => '', 'View background job execution result' => '', + 'View purchase delivery orders' => '', + 'View purchase invoices' => '', + 'View purchase orders' => '', 'View record links from Sales Order' => '', + 'View sales delivery orders' => '', + 'View sales invoices and credit notes' => '', + 'View sales orders' => '', + 'View sales quotations' => '', 'View sent email' => '', 'View warehouse content' => '', 'View/edit all employees purchase documents' => '', diff --git a/menus/user/00-erp.yaml b/menus/user/00-erp.yaml index 985b2cc2a..10d356b1b 100644 --- a/menus/user/00-erp.yaml +++ b/menus/user/00-erp.yaml @@ -275,7 +275,7 @@ name: Quotations icon: report_quotations order: 200 - access: sales_quotation_edit + access: sales_quotation_edit | sales_quotation_view module: oe.pl params: action: search @@ -285,7 +285,7 @@ name: Sales Orders icon: report_sales_orders order: 300 - access: sales_order_edit + access: sales_order_edit | sales_order_view module: oe.pl params: action: search @@ -295,7 +295,7 @@ name: Delivery Orders icon: delivery_order_report order: 400 - access: sales_delivery_order_edit + access: sales_delivery_order_edit | sales_delivery_order_view module: do.pl params: action: search @@ -446,7 +446,7 @@ name: RFQs icon: rfq_report order: 100 - access: request_quotation_edit + access: request_quotation_edit | request_quotation_view module: oe.pl params: action: search @@ -456,7 +456,7 @@ name: Purchase Orders icon: purchase_order_report order: 200 - access: purchase_order_edit + access: purchase_order_edit | purchase_order_view module: oe.pl params: action: search @@ -465,7 +465,7 @@ id: ap_reports_delivery_orders name: Delivery Orders order: 300 - access: purchase_delivery_order_edit + access: purchase_delivery_order_edit | purchase_delivery_order_view module: do.pl params: action: search @@ -474,7 +474,7 @@ id: ap_reports_supplier_delivery_orders name: Supplier Delivery Orders order: 350 - access: purchase_delivery_order_edit + access: purchase_delivery_order_edit | purchase_delivery_order_view module: do.pl params: action: search diff --git a/sql/Pg-upgrade2-auth/rights_view_docs.sql b/sql/Pg-upgrade2-auth/rights_view_docs.sql new file mode 100644 index 000000000..2591ada33 --- /dev/null +++ b/sql/Pg-upgrade2-auth/rights_view_docs.sql @@ -0,0 +1,80 @@ +-- @tag: rights_view_docs +-- @description: Rechte zum Lesen von Belegen +-- @depends: release_3_6_0 +-- @locales: View sales quotations +-- @locales: View sales orders +-- @locales: View sales delivery orders +-- @locales: View sales invoices and credit notes +-- @locales: View RFQs +-- @locales: View purchase orders +-- @locales: View purchase delivery orders +-- @locales: View purchase invoices + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'sales_quotation_edit'), + 'sales_quotation_view', + 'View sales quotations', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'sales_order_edit'), + 'sales_order_view', + 'View sales orders', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'sales_delivery_order_edit'), + 'sales_delivery_order_view', + 'View sales delivery orders', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'invoice_edit'), + 'sales_invoice_view', + 'View sales invoices and credit notes', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'request_quotation_edit'), + 'request_quotation_view', + 'View RFQs', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'purchase_order_edit'), + 'purchase_order_view', + 'View purchase orders', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'purchase_delivery_order_edit'), + 'purchase_delivery_order_view', + 'View purchase delivery orders', + FALSE); + +INSERT INTO auth.master_rights (position, name, description, category) + VALUES ((SELECT position + 10 FROM auth.master_rights WHERE name = 'vendor_invoice_edit'), + 'purchase_invoice_view', + 'View purchase invoices', + FALSE); + + +-- INSERT INTO auth.group_rights (group_id, "right", granted) +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'sales_quotation_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'sales_order_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'sales_delivery_order_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'sales_invoice_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'request_quotation_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'purchase_order_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'purchase_delivery_order_view', true UNION +-- SELECT (SELECT id FROM auth.group WHERE name = 'Vollzugriff'), 'purchase_invoice_view', true; + +INSERT INTO auth.group_rights (group_id, "right", granted) + SELECT id, 'sales_quotation_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'sales_order_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'sales_delivery_order_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'sales_invoice_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'request_quotation_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'purchase_order_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'purchase_delivery_order_view', true FROM auth.group WHERE name = 'Vollzugriff' UNION + SELECT id, 'purchase_invoice_view', true FROM auth.group WHERE name = 'Vollzugriff';