From d53d7a0a5ddc16d962ae32326ad4a8f8bf871978 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= Date: Mon, 7 Mar 2022 11:02:53 +0100 Subject: [PATCH] =?utf8?q?Recht:=20Ansehen=20von=20Einkaufsrechnungen=20be?= =?utf8?q?r=C3=BCcksichtigen?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- SL/AP.pm | 10 +++++----- bin/mozilla/ir.pl | 7 ++++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/SL/AP.pm b/SL/AP.pm index a77906c96..c2b5e6440 100644 --- a/SL/AP.pm +++ b/SL/AP.pm @@ -487,16 +487,16 @@ sub ap_transactions { # Permissions: # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say. # - Exclude AP transactions if no permissions for them exist. - # - Limit to own invoices unless may edit all invoices. - # - If may edit all, allow filtering by employee. + # - Limit to own invoices unless may edit all invoices or view invoices is allowed. + # - If may edit all or view invoices is allowed, allow filtering by employee. my (@permission_where, @permission_values); - if ($::auth->assert('vendor_invoice_edit', 1)) { + if ($::auth->assert('vendor_invoice_edit', 1) || $::auth->assert('purchase_invoice_view', 1)) { if (!$::auth->assert('show_ap_transactions', 1)) { push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices } - if (!$::auth->assert('purchase_all_edit', 1)) { + if (!$::auth->assert('purchase_all_edit', 1) && !$::auth->assert('purchase_invoice_view', 1)) { # only show own invoices push @permission_where, "a.employee_id = ?"; push @permission_values, SL::DB::Manager::Employee->current->id; @@ -509,7 +509,7 @@ sub ap_transactions { } } - if (@permission_where || !$::auth->assert('vendor_invoice_edit', 1)) { + if (@permission_where || (!$::auth->assert('vendor_invoice_edit', 1) && !$::auth->assert('purchase_invoice_view', 1))) { my $permission_where_str = @permission_where ? "OR (" . join(" AND ", map { "($_)" } @permission_where) . ")" : ""; $where .= qq| AND ( (a.globalproject_id IN ( diff --git a/bin/mozilla/ir.pl b/bin/mozilla/ir.pl index cca6d12f1..1b9a782ad 100644 --- a/bin/mozilla/ir.pl +++ b/bin/mozilla/ir.pl @@ -56,9 +56,10 @@ use strict; # end of main sub _may_view_or_edit_this_invoice { - return 1 if $::auth->assert('ap_transactions', 1); # may edit all invoices - return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit - return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed + return 1 if $::auth->assert('ap_transactions', 1); # may edit all invoices + return 0 if !$::form->{id}; # creating new invoices isn't allowed without invoice_edit + return 1 if $::auth->assert('purchase_invoice_view', 1); # viewing is allowed with this right + return 0 if !$::form->{globalproject_id}; # existing records without a project ID are not allowed return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current); } -- 2.20.1