From c772d61b852c8b3ef172b08284a862a77d28f5d6 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= Date: Mon, 28 Dec 2020 16:32:23 +0100 Subject: [PATCH] =?utf8?q?Zeiterfassung:=20Recht=20f.=20Bearbeitung=20alle?= =?utf8?q?r=20Eintr=C3=A4ge=20ber=C3=BCcksichtigen?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit --- SL/Controller/TimeRecording.pm | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/SL/Controller/TimeRecording.pm b/SL/Controller/TimeRecording.pm index 28cd68bfd..5c153c716 100644 --- a/SL/Controller/TimeRecording.pm +++ b/SL/Controller/TimeRecording.pm @@ -18,12 +18,13 @@ use SL::ReportGenerator; use Rose::Object::MakeMethods::Generic ( # scalar => [ qw() ], - 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees can_view_all) ], + 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees can_view_all can_edit_all) ], ); # safety __PACKAGE__->run_before('check_auth'); +__PACKAGE__->run_before('check_auth_edit', only => [ qw(edit save delete) ]); # # actions @@ -132,6 +133,10 @@ sub init_can_view_all { $::auth->assert('time_recording_show_all', 1) || $::auth->assert('time_recording_edit_all', 1) } +sub init_can_edit_all { + $::auth->assert('time_recording_edit_all', 1) +} + sub init_models { my ($self) = @_; @@ -159,6 +164,14 @@ sub check_auth { $::auth->assert('time_recording'); } +sub check_auth_edit { + my ($self) = @_; + + if (!$self->can_edit_all && ($self->time_recording->staff_member_id != SL::DB::Manager::Employee->current->id)) { + $::form->error(t8('You do not have permission to access this entry.')); + } +} + sub prepare_report { my ($self) = @_; -- 2.20.1