From c772d61b852c8b3ef172b08284a862a77d28f5d6 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= <bernd@kivitendo-premium.de>
Date: Mon, 28 Dec 2020 16:32:23 +0100
Subject: [PATCH] =?utf8?q?Zeiterfassung:=20Recht=20f.=20Bearbeitung=20alle?=
 =?utf8?q?r=20Eintr=C3=A4ge=20ber=C3=BCcksichtigen?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 SL/Controller/TimeRecording.pm | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/SL/Controller/TimeRecording.pm b/SL/Controller/TimeRecording.pm
index 28cd68bfd..5c153c716 100644
--- a/SL/Controller/TimeRecording.pm
+++ b/SL/Controller/TimeRecording.pm
@@ -18,12 +18,13 @@ use SL::ReportGenerator;
 use Rose::Object::MakeMethods::Generic
 (
 # scalar                  => [ qw() ],
- 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees can_view_all) ],
+ 'scalar --get_set_init' => [ qw(time_recording models all_time_recording_types all_employees can_view_all can_edit_all) ],
 );
 
 
 # safety
 __PACKAGE__->run_before('check_auth');
+__PACKAGE__->run_before('check_auth_edit', only => [ qw(edit save delete) ]);
 
 #
 # actions
@@ -132,6 +133,10 @@ sub init_can_view_all {
   $::auth->assert('time_recording_show_all', 1) || $::auth->assert('time_recording_edit_all', 1)
 }
 
+sub init_can_edit_all {
+  $::auth->assert('time_recording_edit_all', 1)
+}
+
 sub init_models {
   my ($self) = @_;
 
@@ -159,6 +164,14 @@ sub check_auth {
   $::auth->assert('time_recording');
 }
 
+sub check_auth_edit {
+  my ($self) = @_;
+
+  if (!$self->can_edit_all && ($self->time_recording->staff_member_id != SL::DB::Manager::Employee->current->id)) {
+    $::form->error(t8('You do not have permission to access this entry.'));
+  }
+}
+
 sub prepare_report {
   my ($self) = @_;
 
-- 
2.20.1