From 3ad96f211f51589c061900f0dfad4cd1daedd2f6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= <bernd@kivitendo-premium.de>
Date: Wed, 2 Mar 2022 16:17:54 +0100
Subject: [PATCH] =?utf8?q?Recht:=20Ansehen=20von=20Belegen=20bei=20Angebot?=
 =?utf8?q?=20und=20Auftrag=20ber=C3=BCcksichtigen?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Ansehen nur im neuen Auftrags-Controller
---
 SL/Controller/Order.pm                        | 26 +++++++++++++++++++
 SL/Controller/TopQuickSearch/PurchaseOrder.pm |  2 +-
 .../TopQuickSearch/RequestForQuotation.pm     |  2 +-
 SL/Controller/TopQuickSearch/SalesOrder.pm    |  2 +-
 .../TopQuickSearch/SalesQuotation.pm          |  2 +-
 bin/mozilla/oe.pl                             | 14 +++++++---
 menus/user/00-erp.yaml                        |  8 +++---
 7 files changed, 45 insertions(+), 11 deletions(-)

diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm
index 6571eecf8..87a9e9cf4 100644
--- a/SL/Controller/Order.pm
+++ b/SL/Controller/Order.pm
@@ -56,6 +56,9 @@ use Rose::Object::MakeMethods::Generic
 # safety
 __PACKAGE__->run_before('check_auth');
 
+__PACKAGE__->run_before('check_auth_save',
+                        except => [ qw(edit show_customer_vendor_details_dialog price_popup load_second_rows) ]);
+
 __PACKAGE__->run_before('recalc',
                         only => [ qw(save save_as_new save_and_delivery_order save_and_invoice save_and_invoice_for_advance_payment save_and_final_invoice save_and_ap_transaction
                                      print send_email) ]);
@@ -1370,6 +1373,17 @@ sub init_part_picker_classification_ids {
 sub check_auth {
   my ($self) = @_;
 
+  my $right_for = { map { $_ => $_.'_edit' . ' | ' . $_.'_view' } @{$self->valid_types} };
+
+  my $right   = $right_for->{ $self->type };
+  $right    ||= 'DOES_NOT_EXIST';
+
+  $::auth->assert($right);
+}
+
+sub check_auth_save {
+  my ($self) = @_;
+
   my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} };
 
   my $right   = $right_for->{ $self->type };
@@ -2018,6 +2032,11 @@ sub setup_edit_action_bar {
     $has_final_invoice               = any {'SL::DB::Invoice' eq ref $_ && "final_invoice" eq $_->type} @$lr;
   }
 
+  my $right_for = { map { $_ => $_.'_edit' } @{$self->valid_types} };
+  my $right     = $right_for->{ $self->type };
+  $right      ||= 'DOES_NOT_EXIST';
+
+  if ($::auth->assert($right, 1)) {
   for my $bar ($::request->layout->get('actionbar')) {
     $bar->add(
       combobox => [
@@ -2164,6 +2183,12 @@ sub setup_edit_action_bar {
         only_if  => $deletion_allowed,
       ],
 
+    );
+  }
+  }
+
+  for my $bar ($::request->layout->get('actionbar')) {
+    $bar->add(
       combobox => [
         action => [
           t8('more')
@@ -2182,6 +2207,7 @@ sub setup_edit_action_bar {
       ], # end of combobox "more"
     );
   }
+
 }
 
 sub generate_doc {
diff --git a/SL/Controller/TopQuickSearch/PurchaseOrder.pm b/SL/Controller/TopQuickSearch/PurchaseOrder.pm
index 4013c8a9e..f64fb8366 100644
--- a/SL/Controller/TopQuickSearch/PurchaseOrder.pm
+++ b/SL/Controller/TopQuickSearch/PurchaseOrder.pm
@@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord);
 
 use SL::Locale::String qw(t8);
 
-sub auth { 'purchase_order_edit' }
+sub auth { 'purchase_order_edit | purchase_order_view' }
 
 sub name { 'purchase_order' }
 
diff --git a/SL/Controller/TopQuickSearch/RequestForQuotation.pm b/SL/Controller/TopQuickSearch/RequestForQuotation.pm
index 3b2adefd3..d9571008c 100644
--- a/SL/Controller/TopQuickSearch/RequestForQuotation.pm
+++ b/SL/Controller/TopQuickSearch/RequestForQuotation.pm
@@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord);
 
 use SL::Locale::String qw(t8);
 
-sub auth { 'request_quotation_edit' }
+sub auth { 'request_quotation_edit | request_quotation_view' }
 
 sub name { 'request_quotation' }
 
diff --git a/SL/Controller/TopQuickSearch/SalesOrder.pm b/SL/Controller/TopQuickSearch/SalesOrder.pm
index 1f5296ea2..8f91e6e08 100644
--- a/SL/Controller/TopQuickSearch/SalesOrder.pm
+++ b/SL/Controller/TopQuickSearch/SalesOrder.pm
@@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord);
 
 use SL::Locale::String qw(t8);
 
-sub auth { 'sales_order_edit' }
+sub auth { 'sales_order_edit | sales_order_view' }
 
 sub name { 'sales_order' }
 
diff --git a/SL/Controller/TopQuickSearch/SalesQuotation.pm b/SL/Controller/TopQuickSearch/SalesQuotation.pm
index 28ec9fd17..f7a6b777a 100644
--- a/SL/Controller/TopQuickSearch/SalesQuotation.pm
+++ b/SL/Controller/TopQuickSearch/SalesQuotation.pm
@@ -5,7 +5,7 @@ use parent qw(SL::Controller::TopQuickSearch::OERecord);
 
 use SL::Locale::String qw(t8);
 
-sub auth { 'sales_quotation_edit' }
+sub auth { 'sales_quotation_edit | sales_quotation_view' }
 
 sub name { 'sales_quotation' }
 
diff --git a/bin/mozilla/oe.pl b/bin/mozilla/oe.pl
index 96764ebdf..610215b42 100644
--- a/bin/mozilla/oe.pl
+++ b/bin/mozilla/oe.pl
@@ -84,10 +84,18 @@ my $oe_access_map = {
   'sales_quotation'   => 'sales_quotation_edit',
 };
 
+my $oe_view_access_map = {
+  'sales_order'       => 'sales_order_edit       | sales_order_view',
+  'purchase_order'    => 'purchase_order_edit    | purchase_order_view',
+  'request_quotation' => 'request_quotation_edit | request_quotation_view',
+  'sales_quotation'   => 'sales_quotation_edit   | sales_quotation_view',
+};
+
 sub check_oe_access {
+  my (%params) = @_;
   my $form     = $main::form;
 
-  my $right   = $oe_access_map->{$form->{type}};
+  my $right   = ($params{with_view}) ? $oe_view_access_map->{$form->{type}} : $oe_access_map->{$form->{type}};
   $right    ||= 'DOES_NOT_EXIST';
 
   $main::auth->assert($right);
@@ -926,7 +934,7 @@ sub search {
   my %myconfig = %main::myconfig;
   my $locale   = $main::locale;
 
-  check_oe_access();
+  check_oe_access(with_view => 1);
 
   if ($form->{type} eq 'purchase_order') {
     $form->{vc}        = 'vendor';
@@ -1017,7 +1025,7 @@ sub orders {
   my $cgi      = $::request->{cgi};
 
   my %params   = @_;
-  check_oe_access();
+  check_oe_access(with_view => 1);
 
   my $ordnumber = ($form->{type} =~ /_order$/) ? "ordnumber" : "quonumber";
 
diff --git a/menus/user/00-erp.yaml b/menus/user/00-erp.yaml
index 985b2cc2a..ecaaa3185 100644
--- a/menus/user/00-erp.yaml
+++ b/menus/user/00-erp.yaml
@@ -275,7 +275,7 @@
   name: Quotations
   icon: report_quotations
   order: 200
-  access: sales_quotation_edit
+  access: sales_quotation_edit | sales_quotation_view
   module: oe.pl
   params:
     action: search
@@ -285,7 +285,7 @@
   name: Sales Orders
   icon: report_sales_orders
   order: 300
-  access: sales_order_edit
+  access: sales_order_edit | sales_order_view
   module: oe.pl
   params:
     action: search
@@ -446,7 +446,7 @@
   name: RFQs
   icon: rfq_report
   order: 100
-  access: request_quotation_edit
+  access: request_quotation_edit | request_quotation_view
   module: oe.pl
   params:
     action: search
@@ -456,7 +456,7 @@
   name: Purchase Orders
   icon: purchase_order_report
   order: 200
-  access: purchase_order_edit
+  access: purchase_order_edit | purchase_order_view
   module: oe.pl
   params:
     action: search
-- 
2.20.1