From b638b6a13dea5935637b3c38b1a3252053fa1a46 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= Date: Fri, 11 Oct 2019 13:59:54 +0200 Subject: [PATCH] Recht zum Einsehen von Einkaufsdokumenten aller Mitarbeiter anwenden Trennung VK/EK in Berichten --- SL/AP.pm | 14 +++++++++++--- SL/Controller/CustomerVendor.pm | 3 ++- SL/Controller/DeliveryPlan.pm | 2 +- SL/DO.pm | 2 +- SL/OE.pm | 2 +- templates/webpages/customer_vendor/form.html | 5 +++-- 6 files changed, 19 insertions(+), 9 deletions(-) diff --git a/SL/AP.pm b/SL/AP.pm index 96e0c70a4..1aa6a18ff 100644 --- a/SL/AP.pm +++ b/SL/AP.pm @@ -478,7 +478,8 @@ sub ap_transactions { # Permissions: # - Always return invoices & AP transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say. # - Exclude AP transactions if no permissions for them exist. - # - Filter by employee if requested. + # - Limit to own invoices unless may edit all invoices. + # - If may edit all, allow filtering by employee. my (@permission_where, @permission_values); if ($::auth->assert('vendor_invoice_edit', 1)) { @@ -486,9 +487,16 @@ sub ap_transactions { push @permission_where, "NOT invoice = 'f'"; # remove ap transactions from Purchase -> Reports -> Invoices } - if ($form->{employee_id}) { + if (!$::auth->assert('purchase_all_edit', 1)) { + # only show own invoices push @permission_where, "a.employee_id = ?"; - push @permission_values, conv_i($form->{employee_id}); + push @permission_values, SL::DB::Manager::Employee->current->id; + + } else { + if ($form->{employee_id}) { + push @permission_where, "a.employee_id = ?"; + push @permission_values, conv_i($form->{employee_id}); + } } } diff --git a/SL/Controller/CustomerVendor.pm b/SL/Controller/CustomerVendor.pm index 63b822eec..03aed6a3b 100644 --- a/SL/Controller/CustomerVendor.pm +++ b/SL/Controller/CustomerVendor.pm @@ -479,7 +479,8 @@ sub action_search_contact { sub action_get_delivery { my ($self) = @_; - $::auth->assert('sales_all_edit'); + $::auth->assert('sales_all_edit') if $self->is_customer(); + $::auth->assert('purchase_all_edit') if $self->is_vendor(); my $dbh = $::form->get_standard_dbh(); diff --git a/SL/Controller/DeliveryPlan.pm b/SL/Controller/DeliveryPlan.pm index f8d5d03c4..4a458638a 100644 --- a/SL/Controller/DeliveryPlan.pm +++ b/SL/Controller/DeliveryPlan.pm @@ -338,7 +338,7 @@ sub init_models { } sub init_all_edit_right { - $::auth->assert('sales_all_edit', 1) + return $_[0]->vc eq 'customer' ? $::auth->assert('sales_all_edit', 1) : $::auth->assert('purchase_all_edit', 1); } sub init_vc { return $::form->{vc} if ($::form->{vc} eq 'customer' || $::form->{vc} eq 'vendor') || croak "self (DeliveryPlan) has no vc defined"; diff --git a/SL/DO.pm b/SL/DO.pm index 54df47ca7..ecaee496d 100644 --- a/SL/DO.pm +++ b/SL/DO.pm @@ -129,7 +129,7 @@ sub transactions { push @where, "dord.$item = ?"; push @values, conv_i($form->{$item}); } - if (!$main::auth->assert('sales_all_edit', 1)) { + if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) { push @where, qq|dord.employee_id = (select id from employee where login= ?)|; push @values, $::myconfig{login}; } diff --git a/SL/OE.pm b/SL/OE.pm index 49681bd8e..1887d94f9 100644 --- a/SL/OE.pm +++ b/SL/OE.pm @@ -183,7 +183,7 @@ SQL push(@values, (like($form->{"cp_name"}))x2); } - if (!$main::auth->assert('sales_all_edit', 1)) { + if ( !(($vc eq 'customer' && $main::auth->assert('sales_all_edit', 1)) || ($vc eq 'vendor' && $main::auth->assert('purchase_all_edit', 1))) ) { $query .= " AND o.employee_id = (select id from employee where login= ?)"; push @values, $::myconfig{login}; } diff --git a/templates/webpages/customer_vendor/form.html b/templates/webpages/customer_vendor/form.html index 3b461e837..8b4d1c0b3 100644 --- a/templates/webpages/customer_vendor/form.html +++ b/templates/webpages/customer_vendor/form.html @@ -16,13 +16,14 @@ [%- INCLUDE 'common/flash.html' %] + [%- SET show_deliveries = ( SELF.cv.id && ((SELF.is_customer && AUTH.assert('sales_all_edit', 1)) || (SELF.is_vendor && AUTH.assert('purchase_all_edit', 1))) ) -%]