Recht: Ansehen von Verkaufsrechnungen berücksichtigen

author Bernd Bleßmann <bernd@kivitendo-premium.de>

Mon, 7 Mar 2022 09:40:31 +0000 (10:40 +0100)

committer Bernd Bleßmann <bernd@kivitendo-premium.de>

Tue, 8 Mar 2022 16:44:27 +0000 (17:44 +0100)
author Bernd Bleßmann <bernd@kivitendo-premium.de>
Mon, 7 Mar 2022 09:40:31 +0000 (10:40 +0100)
committer Bernd Bleßmann <bernd@kivitendo-premium.de>
Tue, 8 Mar 2022 16:44:27 +0000 (17:44 +0100)
diff --git a/SL/AR.pm b/SL/AR.pm

index 77c62d3..63ea45c 100644 (file)
--- a/SL/AR.pm
+++ b/SL/AR.pm
@@ -521,16 +521,16 @@ sub ar_transactions {
    # Permissions:
    # - Always return invoices & AR transactions for projects the employee has "view invoices" permissions for, no matter what the other rules say.
    # - Exclude AR transactions if no permissions for them exist.
-  # - Limit to own invoices unless may edit all invoices.
-  # - If may edit all, allow filtering by employee/salesman.
+  # - Limit to own invoices unless may edit all invoices or view invoices is allowed.
+  # - If may edit all or view invoices is allowed, allow filtering by employee/salesman.
    my (@permission_where, @permission_values);
  
-  if ($::auth->assert('invoice_edit', 1)) {
+  if ($::auth->assert('invoice_edit', 1) || $::auth->assert('sales_invoice_view', 1)) {
      if (!$::auth->assert('show_ar_transactions', 1) ) {
        push @permission_where, "NOT invoice = 'f'";  # remove ar transactions from Sales -> Reports -> Invoices
      }
  
-    if (!$::auth->assert('sales_all_edit', 1)) {
+    if (!$::auth->assert('sales_all_edit', 1) && !$::auth->assert('sales_invoice_view', 1)) {
        # only show own invoices
        push @permission_where,  "a.employee_id = ?";
        push @permission_values, SL::DB::Manager::Employee->current->id;
@@ -547,7 +547,7 @@ sub ar_transactions {
      }
    }
  
-  if (@permission_where || !$::auth->assert('invoice_edit', 1)) {
+  if (@permission_where || (!$::auth->assert('invoice_edit', 1) && !$::auth->assert('sales_invoice_view', 1))) {
      my $permission_where_str = @permission_where ? "OR (" . join(" AND ", map { "($_)" } @permission_where) . ")" : "";
      $where .= qq|
        AND (   (a.globalproject_id IN (
diff --git a/bin/mozilla/is.pl b/bin/mozilla/is.pl

index 8384980..57a79af 100644 (file)
--- a/bin/mozilla/is.pl
+++ b/bin/mozilla/is.pl
@@ -62,9 +62,10 @@ use strict;
  # end of main
  
  sub _may_view_or_edit_this_invoice {
-  return 1 if  $::auth->assert('invoice_edit', 1); # may edit all invoices
-  return 0 if !$::form->{id};                      # creating new invoices isn't allowed without invoice_edit
-  return 0 if !$::form->{globalproject_id};        # existing records without a project ID are not allowed
+  return 1 if  $::auth->assert('invoice_edit', 1);       # may edit all invoices
+  return 0 if !$::form->{id};                            # creating new invoices isn't allowed without invoice_edit
+  return 1 if  $::auth->assert('sales_invoice_view', 1); # viewing is allowed with this right
+  return 0 if !$::form->{globalproject_id};              # existing records without a project ID are not allowed
    return SL::DB::Project->new(id => $::form->{globalproject_id})->load->may_employee_view_project_invoices(SL::DB::Manager::Employee->current);
  }
author	Bernd Bleßmann <bernd@kivitendo-premium.de>
	Mon, 7 Mar 2022 09:40:31 +0000 (10:40 +0100)
committer	Bernd Bleßmann <bernd@kivitendo-premium.de>
	Tue, 8 Mar 2022 16:44:27 +0000 (17:44 +0100)
SL/AR.pm		patch \| blob \| history
bin/mozilla/is.pl		patch \| blob \| history