Revision 3bb4190a
Von Moritz Bunkus vor fast 4 Jahren hinzugefügt
SL/Auth.pm | ||
---|---|---|
1229 | 1229 |
return $granted; |
1230 | 1230 |
} |
1231 | 1231 |
|
1232 |
sub deny_access { |
|
1233 |
my ($self) = @_; |
|
1234 |
|
|
1235 |
$::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; |
|
1236 |
|
|
1237 |
delete $::form->{title}; |
|
1238 |
$::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); |
|
1239 |
} |
|
1240 |
|
|
1232 | 1241 |
sub assert { |
1233 | 1242 |
my ($self, $right, $dont_abort) = @_; |
1234 | 1243 |
|
... | ... | |
1237 | 1246 |
} |
1238 | 1247 |
|
1239 | 1248 |
if (!$dont_abort) { |
1240 |
$::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; |
|
1241 |
|
|
1242 |
delete $::form->{title}; |
|
1243 |
$::form->show_generic_error($::locale->text("You do not have the permissions to access this function.")); |
|
1249 |
$self->deny_access; |
|
1244 | 1250 |
} |
1245 | 1251 |
|
1246 | 1252 |
return 0; |
SL/CT.pm | ||
---|---|---|
244 | 244 |
push @values, $form->{create_zugferd_invoices}; |
245 | 245 |
} |
246 | 246 |
|
247 |
# Nur Kunden finden, bei denen ich selber der Verkäufer bin |
|
248 |
# Gilt nicht für Lieferanten |
|
249 |
if ($cv eq 'customer' && !$main::auth->assert('customer_vendor_all_edit', 1)) { |
|
250 |
$where .= qq| AND ct.salesman_id = (select em.id from employee em where em.login = ?)|; |
|
251 |
push(@values, $::myconfig{login}); |
|
252 |
} |
|
253 |
|
|
254 | 247 |
my ($cvar_where, @cvar_values) = CVar->build_filter_query('module' => 'CT', |
255 | 248 |
'trans_id_field' => 'ct.id', |
256 | 249 |
'filter' => $form); |
SL/Controller/Customer.pm | ||
---|---|---|
6 | 6 |
use SL::DB::Customer; |
7 | 7 |
use SL::JSON; |
8 | 8 |
|
9 |
# safety |
|
10 |
__PACKAGE__->run_before(sub { $::auth->assert('customer_vendor_edit') }); |
|
11 |
|
|
12 | 9 |
sub action_get_hourly_rate { |
13 | 10 |
my ($self, %params) = @_; |
14 | 11 |
|
SL/Controller/CustomerVendor.pm | ||
---|---|---|
41 | 41 |
use Data::Dumper; |
42 | 42 |
|
43 | 43 |
use Rose::Object::MakeMethods::Generic ( |
44 |
scalar => [ qw(user_has_edit_rights) ], |
|
44 | 45 |
'scalar --get_set_init' => [ qw(customer_models vendor_models zugferd_settings) ], |
45 | 46 |
); |
46 | 47 |
|
47 | 48 |
# safety |
48 |
__PACKAGE__->run_before( |
|
49 |
sub { |
|
50 |
$::auth->assert('customer_vendor_edit'); |
|
51 |
}, |
|
52 |
except => [ qw(ajaj_autocomplete) ], |
|
53 |
); |
|
54 | 49 |
__PACKAGE__->run_before( |
55 | 50 |
'_instantiate_args', |
56 | 51 |
only => [ |
... | ... | |
81 | 76 |
); |
82 | 77 |
|
83 | 78 |
# make sure this comes after _load_customer_vendor |
84 |
__PACKAGE__->run_before( |
|
85 |
'_check_customer_vendor_all_edit', |
|
86 |
only => [ |
|
87 |
'edit', |
|
88 |
'show', |
|
89 |
'update', |
|
90 |
'delete', |
|
91 |
'save', |
|
92 |
'save_and_ap_transaction', |
|
93 |
'save_and_ar_transaction', |
|
94 |
'save_and_close', |
|
95 |
'save_and_invoice', |
|
96 |
'save_and_order', |
|
97 |
'save_and_quotation', |
|
98 |
'save_and_rfq', |
|
99 |
'delete', |
|
100 |
'delete_contact', |
|
101 |
'delete_shipto', |
|
102 |
] |
|
103 |
); |
|
79 |
__PACKAGE__->run_before('_check_auth'); |
|
104 | 80 |
|
105 | 81 |
__PACKAGE__->run_before( |
106 | 82 |
'_create_customer_vendor', |
... | ... | |
656 | 632 |
if (1 == scalar @{ $exact_matches = $manager->get_all( |
657 | 633 |
query => [ |
658 | 634 |
obsolete => 0, |
659 |
(salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1), |
|
660 | 635 |
or => [ |
661 | 636 |
name => { ilike => $::form->{filter}{'all:substr:multi::ilike'} }, |
662 | 637 |
$number => { ilike => $::form->{filter}{'all:substr:multi::ilike'} }, |
... | ... | |
912 | 887 |
} |
913 | 888 |
} |
914 | 889 |
|
915 |
sub _check_customer_vendor_all_edit {
|
|
916 |
my ($self) = @_;
|
|
890 |
sub _may_access_action {
|
|
891 |
my ($self, $action) = @_;
|
|
917 | 892 |
|
918 |
unless ($::auth->assert('customer_vendor_all_edit', 1)) { |
|
919 |
die($::locale->text("You don't have the rights to edit this customer.") . "\n") |
|
920 |
if $self->{cv}->is_customer and |
|
921 |
SL::DB::Manager::Employee->current->id != $self->{cv}->salesman_id; |
|
922 |
}; |
|
923 |
}; |
|
893 |
my $is_new = !$self->{cv} || !$self->{cv}->id; |
|
894 |
my $is_own_customer = !$is_new |
|
895 |
&& $self->{cv}->is_customer |
|
896 |
&& (SL::DB::Manager::Employee->current->id == $self->{cv}->salesman_id); |
|
897 |
my $has_edit_rights = $::auth->assert('customer_vendor_all_edit', 1); |
|
898 |
$has_edit_rights ||= $::auth->assert('customer_vendor_edit', 1) && ($is_new || $is_own_customer); |
|
899 |
my $needs_edit_rights = $action =~ m{^(?:add|save|delete|update)}; |
|
900 |
|
|
901 |
$self->user_has_edit_rights($has_edit_rights); |
|
902 |
|
|
903 |
return 1 if $has_edit_rights; |
|
904 |
return 0 if $needs_edit_rights; |
|
905 |
return 1; |
|
906 |
} |
|
907 |
|
|
908 |
sub _check_auth { |
|
909 |
my ($self, $action) = @_; |
|
910 |
|
|
911 |
if (!$self->_may_access_action($action)) { |
|
912 |
$::auth->deny_access; |
|
913 |
} |
|
914 |
} |
|
924 | 915 |
|
925 | 916 |
sub _create_customer_vendor { |
926 | 917 |
my ($self) = @_; |
... | ... | |
1075 | 1066 |
sub _setup_form_action_bar { |
1076 | 1067 |
my ($self) = @_; |
1077 | 1068 |
|
1069 |
my $no_rights = $self->user_has_edit_rights ? undef |
|
1070 |
: $self->{cv}->is_customer ? t8("You don't have the rights to edit this customer.") |
|
1071 |
: t8("You don't have the rights to edit this vendor."); |
|
1072 |
|
|
1078 | 1073 |
for my $bar ($::request->layout->get('actionbar')) { |
1079 | 1074 |
$bar->add( |
1080 | 1075 |
combobox => [ |
... | ... | |
1083 | 1078 |
submit => [ '#form', { action => "CustomerVendor/save" } ], |
1084 | 1079 |
checks => [ 'check_taxzone_and_ustid' ], |
1085 | 1080 |
accesskey => 'enter', |
1081 |
disabled => $no_rights, |
|
1086 | 1082 |
], |
1087 | 1083 |
action => [ |
1088 | 1084 |
t8('Save and Close'), |
1089 | 1085 |
submit => [ '#form', { action => "CustomerVendor/save_and_close" } ], |
1090 | 1086 |
checks => [ 'check_taxzone_and_ustid' ], |
1087 |
disabled => $no_rights, |
|
1091 | 1088 |
], |
1092 | 1089 |
], # end of combobox "Save" |
1093 | 1090 |
|
... | ... | |
1097 | 1094 |
t8('Save and AP Transaction'), |
1098 | 1095 |
submit => [ '#form', { action => "CustomerVendor/save_and_ap_transaction" } ], |
1099 | 1096 |
checks => [ 'check_taxzone_and_ustid' ], |
1097 |
disabled => $no_rights, |
|
1100 | 1098 |
]) x !!$self->is_vendor, |
1101 | 1099 |
(action => [ |
1102 | 1100 |
t8('Save and AR Transaction'), |
1103 | 1101 |
submit => [ '#form', { action => "CustomerVendor/save_and_ar_transaction" } ], |
1104 | 1102 |
checks => [ 'check_taxzone_and_ustid' ], |
1103 |
disabled => $no_rights, |
|
1105 | 1104 |
]) x !$self->is_vendor, |
1106 | 1105 |
action => [ |
1107 | 1106 |
t8('Save and Invoice'), |
1108 | 1107 |
submit => [ '#form', { action => "CustomerVendor/save_and_invoice" } ], |
1109 | 1108 |
checks => [ 'check_taxzone_and_ustid' ], |
1109 |
disabled => $no_rights, |
|
1110 | 1110 |
], |
1111 | 1111 |
action => [ |
1112 | 1112 |
t8('Save and Order'), |
1113 | 1113 |
submit => [ '#form', { action => "CustomerVendor/save_and_order" } ], |
1114 | 1114 |
checks => [ 'check_taxzone_and_ustid' ], |
1115 |
disabled => $no_rights, |
|
1115 | 1116 |
], |
1116 | 1117 |
(action => [ |
1117 | 1118 |
t8('Save and RFQ'), |
1118 | 1119 |
submit => [ '#form', { action => "CustomerVendor/save_and_rfq" } ], |
1119 | 1120 |
checks => [ 'check_taxzone_and_ustid' ], |
1121 |
disabled => $no_rights, |
|
1120 | 1122 |
]) x !!$self->is_vendor, |
1121 | 1123 |
(action => [ |
1122 | 1124 |
t8('Save and Quotation'), |
1123 | 1125 |
submit => [ '#form', { action => "CustomerVendor/save_and_quotation" } ], |
1124 | 1126 |
checks => [ 'check_taxzone_and_ustid' ], |
1127 |
disabled => $no_rights, |
|
1125 | 1128 |
]) x !$self->is_vendor, |
1126 | 1129 |
], # end of combobox "Workflow" |
1127 | 1130 |
|
... | ... | |
1131 | 1134 |
confirm => t8('Do you really want to delete this object?'), |
1132 | 1135 |
disabled => !$self->{cv}->id ? t8('This object has not been saved yet.') |
1133 | 1136 |
: !$self->is_orphaned ? t8('This object has already been used.') |
1134 |
: undef,
|
|
1137 |
: $no_rights,
|
|
1135 | 1138 |
], |
1136 | 1139 |
|
1137 | 1140 |
'separator', |
... | ... | |
1214 | 1217 |
}, |
1215 | 1218 |
customernumber => t8('Customer Number'), |
1216 | 1219 |
}, |
1217 |
query => [ |
|
1218 |
( salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1), |
|
1219 |
], |
|
1220 | 1220 |
); |
1221 | 1221 |
} |
1222 | 1222 |
|
SL/Controller/TopQuickSearch/Contact.pm | ||
---|---|---|
8 | 8 |
use SL::DBUtils qw(selectfirst_array_query like); |
9 | 9 |
use SL::Locale::String qw(t8); |
10 | 10 |
|
11 |
sub auth { 'customer_vendor_edit' }
|
|
11 |
sub auth { undef }
|
|
12 | 12 |
|
13 | 13 |
sub name { 'contact' } |
14 | 14 |
|
SL/Controller/TopQuickSearch/Customer.pm | ||
---|---|---|
6 | 6 |
|
7 | 7 |
use SL::Locale::String qw(t8); |
8 | 8 |
|
9 |
sub auth { 'customer_vendor_edit' }
|
|
9 |
sub auth { undef }
|
|
10 | 10 |
|
11 | 11 |
sub name { 'customer' } |
12 | 12 |
|
SL/Controller/TopQuickSearch/Vendor.pm | ||
---|---|---|
6 | 6 |
|
7 | 7 |
use SL::Locale::String qw(t8); |
8 | 8 |
|
9 |
sub auth { 'customer_vendor_edit' }
|
|
9 |
sub auth { undef }
|
|
10 | 10 |
|
11 | 11 |
sub name { 'vendor' } |
12 | 12 |
|
bin/mozilla/ct.pl | ||
---|---|---|
76 | 76 |
sub search { |
77 | 77 |
$main::lxdebug->enter_sub(); |
78 | 78 |
|
79 |
$main::auth->assert('customer_vendor_edit'); |
|
80 |
|
|
81 | 79 |
my $form = $main::form; |
82 | 80 |
my $locale = $main::locale; |
83 | 81 |
|
... | ... | |
107 | 105 |
|
108 | 106 |
sub search_contact { |
109 | 107 |
$::lxdebug->enter_sub; |
110 |
$::auth->assert('customer_vendor_edit'); |
|
111 | 108 |
|
112 | 109 |
$::form->{CUSTOM_VARIABLES} = CVar->get_configs('module' => 'Contacts'); |
113 | 110 |
($::form->{CUSTOM_VARIABLES_FILTER_CODE}, |
... | ... | |
128 | 125 |
sub list_names { |
129 | 126 |
$main::lxdebug->enter_sub(); |
130 | 127 |
|
131 |
$main::auth->assert('customer_vendor_edit'); |
|
132 |
|
|
133 | 128 |
my $form = $main::form; |
134 | 129 |
my %myconfig = %main::myconfig; |
135 | 130 |
my $locale = $main::locale; |
... | ... | |
339 | 334 |
|
340 | 335 |
sub list_contacts { |
341 | 336 |
$::lxdebug->enter_sub; |
342 |
$::auth->assert('customer_vendor_edit'); |
|
343 | 337 |
|
344 | 338 |
$::form->{sortdir} = 1 unless defined $::form->{sortdir}; |
345 | 339 |
|
locale/de/all | ||
---|---|---|
4058 | 4058 |
'You do not have permission to access this entry.' => 'Sie verfügen nicht über die Berechtigung, auf diesen Eintrag zuzugreifen.', |
4059 | 4059 |
'You do not have the permissions to access this function.' => 'Sie verfügen nicht über die notwendigen Rechte, um auf diese Funktion zuzugreifen.', |
4060 | 4060 |
'You don\'t have the rights to edit this customer.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Kunden zu bearbeiten.', |
4061 |
'You don\'t have the rights to edit this vendor.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Lieferanten zu bearbeiten.', |
|
4061 | 4062 |
'You have changed the currency or exchange rate. Please check prices.' => 'Die Währung oder der Wechselkurs hat sich geändert. Bitte überprüfen Sie die Preise.', |
4062 | 4063 |
'You have entered or selected the following shipping address for this customer:' => 'Sie haben die folgende Lieferadresse eingegeben oder ausgewählt:', |
4063 | 4064 |
'You have never worked with currencies.' => 'Sie haben noch nie mit Währungen gearbeitet.', |
menus/user/00-erp.yaml | ||
---|---|---|
34 | 34 |
name: Add Customer |
35 | 35 |
icon: customer_add |
36 | 36 |
order: 100 |
37 |
access: customer_vendor_edit |
|
37 |
access: customer_vendor_edit|customer_vendor_all_edit
|
|
38 | 38 |
params: |
39 | 39 |
action: CustomerVendor/add |
40 | 40 |
db: customer |
... | ... | |
43 | 43 |
name: Add Vendor |
44 | 44 |
icon: vendor_add |
45 | 45 |
order: 200 |
46 |
access: customer_vendor_edit |
|
46 |
access: customer_vendor_edit|customer_vendor_all_edit
|
|
47 | 47 |
params: |
48 | 48 |
action: CustomerVendor/add |
49 | 49 |
db: vendor |
... | ... | |
121 | 121 |
name: Customers |
122 | 122 |
icon: customer_report |
123 | 123 |
order: 100 |
124 |
access: customer_vendor_edit |
|
125 | 124 |
params: |
126 | 125 |
action: CustomerVendor/search |
127 | 126 |
db: customer |
... | ... | |
130 | 129 |
name: Vendors |
131 | 130 |
icon: vendor_report |
132 | 131 |
order: 200 |
133 |
access: customer_vendor_edit |
|
134 | 132 |
params: |
135 | 133 |
action: CustomerVendor/search |
136 | 134 |
db: vendor |
... | ... | |
138 | 136 |
id: master_data_reports_contacts |
139 | 137 |
name: Contacts |
140 | 138 |
order: 300 |
141 |
access: customer_vendor_edit |
|
142 | 139 |
params: |
143 | 140 |
action: CustomerVendor/search_contact |
144 | 141 |
db: customer |
Auch abrufbar als: Unified diff
Kunden-/Lieferantenstammdaten: Berechtigungsmodell gefixt
Neues Modell sieht wie folgt aus:
1. Alle Personen haben Leserechte auf alle Kunden- &
Lieferantenstammdaten. Das betrifft nicht nur die Stammdatenmasken,
sondern auch die AJAJ-Autovervollständigung (Kunden-/
Lieferanten-Picker) oder die Detail-Popup-Fenster in Einkaufs-/
Verkaufsbelegmasken.
2. Personen mit »edit«-Recht aber ohne »edit all«-Recht dürfen nur die
eigenen Kundenstammdaten verändern (speichern/löschen), wobei
»eigen« definiert ist als »aktuelle Person ist Verkäufer*in des
Kunden«. Neue Kunden dürfen angelegt werden. Bei Lieferanten dürfen
hingegen alle Stammdaten bearbeitet werden.
3. Personen mit »edit all«-Recht haben Vollzugriff auf alle Kunden- &
Lieferantenstammdaten.