From b638b6a13dea5935637b3c38b1a3252053fa1a46 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= <bernd@kivitendo-premium.de>
Date: Fri, 11 Oct 2019 13:59:54 +0200
Subject: [PATCH] Recht zum Einsehen von Einkaufsdokumenten aller Mitarbeiter
 anwenden

Trennung VK/EK in Berichten
---
 SL/AP.pm                                     | 14 +++++++++++---
 SL/Controller/CustomerVendor.pm              |  3 ++-
 SL/Controller/DeliveryPlan.pm                |  2 +-
 SL/DO.pm                                     |  2 +-
 SL/OE.pm                                     |  2 +-
 templates/webpages/customer_vendor/form.html |  5 +++--
 6 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/SL/AP.pm b/SL/AP.pm
index 96e0c70a4..1aa6a18ff 100644
--- a/SL/AP.pm
+++ b/SL/AP.pm
@@ -478,7 +478,8 @@ sub ap_transactions {
   # Permissions:
   # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say.
   # - Exclude AP transactions if no permissions for them exist.
-  # - Filter by employee if requested.
+  # - Limit to own invoices unless may edit all invoices.
+  # - If may edit all, allow filtering by employee.
   my (@permission_where, @permission_values);
 
   if ($::auth->assert('vendor_invoice_edit', 1)) {
@@ -486,9 +487,16 @@ sub ap_transactions {
       push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices
     }
 
-    if ($form->{employee_id}) {
+    if (!$::auth->assert('purchase_all_edit', 1)) {
+      # only show own invoices
       push @permission_where,  "a.employee_id = ?";
-      push @permission_values, conv_i($form->{employee_id});
+      push @permission_values, SL::DB::Manager::Employee->current->id;
+
+    } else {
+      if ($form->{employee_id}) {
+        push @permission_where,  "a.employee_id = ?";
+        push @permission_values, conv_i($form->{employee_id});
+      }
     }
   }
 
diff --git a/SL/Controller/CustomerVendor.pm b/SL/Controller/CustomerVendor.pm
index 63b822eec..03aed6a3b 100644
--- a/SL/Controller/CustomerVendor.pm
+++ b/SL/Controller/CustomerVendor.pm
@@ -479,7 +479,8 @@ sub action_search_contact {
 sub action_get_delivery {
   my ($self) = @_;
 
-  $::auth->assert('sales_all_edit');
+  $::auth->assert('sales_all_edit')    if $self->is_customer();
+  $::auth->assert('purchase_all_edit') if $self->is_vendor();
 
   my $dbh = $::form->get_standard_dbh();
 
diff --git a/SL/Controller/DeliveryPlan.pm b/SL/Controller/DeliveryPlan.pm
index f8d5d03c4..4a458638a 100644
--- a/SL/Controller/DeliveryPlan.pm
+++ b/SL/Controller/DeliveryPlan.pm
@@ -338,7 +338,7 @@ sub init_models {
 }
 
 sub init_all_edit_right {
-  $::auth->assert('sales_all_edit', 1)
+  return $_[0]->vc eq 'customer' ? $::auth->assert('sales_all_edit', 1) : $::auth->assert('purchase_all_edit', 1);
 }
 sub init_vc {
   return $::form->{vc} if ($::form->{vc} eq 'customer' || $::form->{vc} eq 'vendor') || croak "self (DeliveryPlan) has no vc defined";
diff --git a/SL/DO.pm b/SL/DO.pm
index 54df47ca7..ecaee496d 100644
--- a/SL/DO.pm
+++ b/SL/DO.pm
@@ -129,7 +129,7 @@ sub transactions {
     push @where, "dord.$item = ?";
     push @values, conv_i($form->{$item});
   }
-  if (!$main::auth->assert('sales_all_edit', 1)) {
+  if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) {
     push @where, qq|dord.employee_id = (select id from employee where login= ?)|;
     push @values, $::myconfig{login};
   }
diff --git a/SL/OE.pm b/SL/OE.pm
index 49681bd8e..1887d94f9 100644
--- a/SL/OE.pm
+++ b/SL/OE.pm
@@ -183,7 +183,7 @@ SQL
     push(@values, (like($form->{"cp_name"}))x2);
   }
 
-  if (!$main::auth->assert('sales_all_edit', 1)) {
+  if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) {
     $query .= " AND o.employee_id = (select id from employee where login= ?)";
     push @values, $::myconfig{login};
   }
diff --git a/templates/webpages/customer_vendor/form.html b/templates/webpages/customer_vendor/form.html
index 3b461e837..8b4d1c0b3 100644
--- a/templates/webpages/customer_vendor/form.html
+++ b/templates/webpages/customer_vendor/form.html
@@ -16,13 +16,14 @@
 
   [%- INCLUDE 'common/flash.html' %]
 
+  [%- SET show_deliveries = ( SELF.cv.id && ((SELF.is_customer && AUTH.assert('sales_all_edit', 1)) || (SELF.is_vendor && AUTH.assert('purchase_all_edit', 1))) ) -%]
   <div class="tabwidget" id="customer_vendor_tabs">
     <ul>
       <li><a href="#billing">[% 'Billing Address' | $T8 %]</a></li>
       <li><a href="#bank">[% 'Bank account' | $T8 %]</a></li>
       <li><a href="#shipto">[% 'Shipping Address' | $T8 %]</a></li>
       <li><a href="#contacts">[% 'Contacts' | $T8 %]</a></li>
-      [% IF ( SELF.cv.id && AUTH.assert('sales_all_edit', 1) ) %]
+      [% IF show_deliveries %]
         <li><a href="#deliveries">[% 'Supplies' | $T8 %]</a></li>
 [%- IF INSTANCE_CONF.get_doc_storage %]
       <li><a href="controller.pl?action=File/list&file_type=attachment&object_type=[% FORM.db == 'vendor' ? 'vendor' : 'customer' %]&object_id=[% SELF.cv.id %]">[% 'Attachments' | $T8 %]</a></li>
@@ -60,7 +61,7 @@
     [% PROCESS "customer_vendor/tabs/bank.html" %]
     [% PROCESS "customer_vendor/tabs/shipto.html" %]
     [% PROCESS "customer_vendor/tabs/contacts.html" %]
-    [% IF ( SELF.cv.id && AUTH.assert('sales_all_edit', 1) ) %]
+    [% IF show_deliveries %]
       [% PROCESS "customer_vendor/tabs/deliveries.html" %]
     [% END %]
     [% PROCESS "customer_vendor/tabs/vcnotes.html" %]
-- 
2.20.1