Projekt

Allgemein

Profil

« Zurück | Weiter » 

Revision 3bb4190a

Von Moritz Bunkus vor fast 4 Jahren hinzugefügt

  • ID 3bb4190a48d58f5a598b659c27b9a5bf233aa54b
  • Vorgänger 95f21f71
  • Nachfolger 2350fb7f

Kunden-/Lieferantenstammdaten: Berechtigungsmodell gefixt

Neues Modell sieht wie folgt aus:

1. Alle Personen haben Leserechte auf alle Kunden- &
Lieferantenstammdaten. Das betrifft nicht nur die Stammdatenmasken,
sondern auch die AJAJ-Autovervollständigung (Kunden-/
Lieferanten-Picker) oder die Detail-Popup-Fenster in Einkaufs-/
Verkaufsbelegmasken.

2. Personen mit »edit«-Recht aber ohne »edit all«-Recht dürfen nur die
eigenen Kundenstammdaten verändern (speichern/löschen), wobei
»eigen« definiert ist als »aktuelle Person ist Verkäufer*in des
Kunden«. Neue Kunden dürfen angelegt werden. Bei Lieferanten dürfen
hingegen alle Stammdaten bearbeitet werden.

3. Personen mit »edit all«-Recht haben Vollzugriff auf alle Kunden- &
Lieferantenstammdaten.

Unterschiede anzeigen:

SL/Auth.pm
1229 1229
  return $granted;
1230 1230
}
1231 1231

  
1232
sub deny_access {
1233
  my ($self) = @_;
1234

  
1235
  $::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json';
1236

  
1237
  delete $::form->{title};
1238
  $::form->show_generic_error($::locale->text("You do not have the permissions to access this function."));
1239
}
1240

  
1232 1241
sub assert {
1233 1242
  my ($self, $right, $dont_abort) = @_;
1234 1243

  
......
1237 1246
  }
1238 1247

  
1239 1248
  if (!$dont_abort) {
1240
    $::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json';
1241

  
1242
    delete $::form->{title};
1243
    $::form->show_generic_error($::locale->text("You do not have the permissions to access this function."));
1249
    $self->deny_access;
1244 1250
  }
1245 1251

  
1246 1252
  return 0;
SL/CT.pm
244 244
    push @values, $form->{create_zugferd_invoices};
245 245
  }
246 246

  
247
  # Nur Kunden finden, bei denen ich selber der Verkäufer bin
248
  # Gilt nicht für Lieferanten
249
  if ($cv eq 'customer' &&   !$main::auth->assert('customer_vendor_all_edit', 1)) {
250
    $where .= qq| AND ct.salesman_id = (select em.id from employee em where em.login = ?)|;
251
    push(@values, $::myconfig{login});
252
  }
253

  
254 247
  my ($cvar_where, @cvar_values) = CVar->build_filter_query('module'         => 'CT',
255 248
                                                            'trans_id_field' => 'ct.id',
256 249
                                                            'filter'         => $form);
SL/Controller/Customer.pm
6 6
use SL::DB::Customer;
7 7
use SL::JSON;
8 8

  
9
# safety
10
__PACKAGE__->run_before(sub { $::auth->assert('customer_vendor_edit') });
11

  
12 9
sub action_get_hourly_rate {
13 10
  my ($self, %params) = @_;
14 11

  
SL/Controller/CustomerVendor.pm
41 41
use Data::Dumper;
42 42

  
43 43
use Rose::Object::MakeMethods::Generic (
44
  scalar                  => [ qw(user_has_edit_rights) ],
44 45
  'scalar --get_set_init' => [ qw(customer_models vendor_models zugferd_settings) ],
45 46
);
46 47

  
47 48
# safety
48
__PACKAGE__->run_before(
49
  sub {
50
    $::auth->assert('customer_vendor_edit');
51
  },
52
  except => [ qw(ajaj_autocomplete) ],
53
);
54 49
__PACKAGE__->run_before(
55 50
  '_instantiate_args',
56 51
  only => [
......
81 76
);
82 77

  
83 78
# make sure this comes after _load_customer_vendor
84
__PACKAGE__->run_before(
85
  '_check_customer_vendor_all_edit',
86
  only => [
87
    'edit',
88
    'show',
89
    'update',
90
    'delete',
91
    'save',
92
    'save_and_ap_transaction',
93
    'save_and_ar_transaction',
94
    'save_and_close',
95
    'save_and_invoice',
96
    'save_and_order',
97
    'save_and_quotation',
98
    'save_and_rfq',
99
    'delete',
100
    'delete_contact',
101
    'delete_shipto',
102
  ]
103
);
79
__PACKAGE__->run_before('_check_auth');
104 80

  
105 81
__PACKAGE__->run_before(
106 82
  '_create_customer_vendor',
......
656 632
    if (1 == scalar @{ $exact_matches = $manager->get_all(
657 633
      query => [
658 634
        obsolete => 0,
659
        (salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1),
660 635
        or => [
661 636
          name    => { ilike => $::form->{filter}{'all:substr:multi::ilike'} },
662 637
          $number => { ilike => $::form->{filter}{'all:substr:multi::ilike'} },
......
912 887
  }
913 888
}
914 889

  
915
sub _check_customer_vendor_all_edit {
916
  my ($self) = @_;
890
sub _may_access_action {
891
  my ($self, $action)   = @_;
917 892

  
918
  unless ($::auth->assert('customer_vendor_all_edit', 1)) {
919
    die($::locale->text("You don't have the rights to edit this customer.") . "\n")
920
      if $self->{cv}->is_customer and
921
         SL::DB::Manager::Employee->current->id != $self->{cv}->salesman_id;
922
  };
923
};
893
  my $is_new            = !$self->{cv} || !$self->{cv}->id;
894
  my $is_own_customer   = !$is_new
895
                       && $self->{cv}->is_customer
896
                       && (SL::DB::Manager::Employee->current->id == $self->{cv}->salesman_id);
897
  my $has_edit_rights   = $::auth->assert('customer_vendor_all_edit', 1);
898
  $has_edit_rights    ||= $::auth->assert('customer_vendor_edit',     1) && ($is_new || $is_own_customer);
899
  my $needs_edit_rights = $action =~ m{^(?:add|save|delete|update)};
900

  
901
  $self->user_has_edit_rights($has_edit_rights);
902

  
903
  return 1 if $has_edit_rights;
904
  return 0 if $needs_edit_rights;
905
  return 1;
906
}
907

  
908
sub _check_auth {
909
  my ($self, $action) = @_;
910

  
911
  if (!$self->_may_access_action($action)) {
912
    $::auth->deny_access;
913
  }
914
}
924 915

  
925 916
sub _create_customer_vendor {
926 917
  my ($self) = @_;
......
1075 1066
sub _setup_form_action_bar {
1076 1067
  my ($self) = @_;
1077 1068

  
1069
  my $no_rights = $self->user_has_edit_rights ? undef
1070
                : $self->{cv}->is_customer    ? t8("You don't have the rights to edit this customer.")
1071
                :                               t8("You don't have the rights to edit this vendor.");
1072

  
1078 1073
  for my $bar ($::request->layout->get('actionbar')) {
1079 1074
    $bar->add(
1080 1075
      combobox => [
......
1083 1078
          submit    => [ '#form', { action => "CustomerVendor/save" } ],
1084 1079
          checks    => [ 'check_taxzone_and_ustid' ],
1085 1080
          accesskey => 'enter',
1081
          disabled  => $no_rights,
1086 1082
        ],
1087 1083
        action => [
1088 1084
          t8('Save and Close'),
1089 1085
          submit => [ '#form', { action => "CustomerVendor/save_and_close" } ],
1090 1086
          checks => [ 'check_taxzone_and_ustid' ],
1087
          disabled => $no_rights,
1091 1088
        ],
1092 1089
      ], # end of combobox "Save"
1093 1090

  
......
1097 1094
          t8('Save and AP Transaction'),
1098 1095
          submit => [ '#form', { action => "CustomerVendor/save_and_ap_transaction" } ],
1099 1096
          checks => [ 'check_taxzone_and_ustid' ],
1097
          disabled => $no_rights,
1100 1098
        ]) x !!$self->is_vendor,
1101 1099
        (action => [
1102 1100
          t8('Save and AR Transaction'),
1103 1101
          submit => [ '#form', { action => "CustomerVendor/save_and_ar_transaction" } ],
1104 1102
          checks => [ 'check_taxzone_and_ustid' ],
1103
          disabled => $no_rights,
1105 1104
        ]) x !$self->is_vendor,
1106 1105
        action => [
1107 1106
          t8('Save and Invoice'),
1108 1107
          submit => [ '#form', { action => "CustomerVendor/save_and_invoice" } ],
1109 1108
          checks => [ 'check_taxzone_and_ustid' ],
1109
          disabled => $no_rights,
1110 1110
        ],
1111 1111
        action => [
1112 1112
          t8('Save and Order'),
1113 1113
          submit => [ '#form', { action => "CustomerVendor/save_and_order" } ],
1114 1114
          checks => [ 'check_taxzone_and_ustid' ],
1115
          disabled => $no_rights,
1115 1116
        ],
1116 1117
        (action => [
1117 1118
          t8('Save and RFQ'),
1118 1119
          submit => [ '#form', { action => "CustomerVendor/save_and_rfq" } ],
1119 1120
          checks => [ 'check_taxzone_and_ustid' ],
1121
          disabled => $no_rights,
1120 1122
        ]) x !!$self->is_vendor,
1121 1123
        (action => [
1122 1124
          t8('Save and Quotation'),
1123 1125
          submit => [ '#form', { action => "CustomerVendor/save_and_quotation" } ],
1124 1126
          checks => [ 'check_taxzone_and_ustid' ],
1127
          disabled => $no_rights,
1125 1128
        ]) x !$self->is_vendor,
1126 1129
      ], # end of combobox "Workflow"
1127 1130

  
......
1131 1134
        confirm  => t8('Do you really want to delete this object?'),
1132 1135
        disabled => !$self->{cv}->id    ? t8('This object has not been saved yet.')
1133 1136
                  : !$self->is_orphaned ? t8('This object has already been used.')
1134
                  :                       undef,
1137
                  :                       $no_rights,
1135 1138
      ],
1136 1139

  
1137 1140
      'separator',
......
1214 1217
      },
1215 1218
      customernumber => t8('Customer Number'),
1216 1219
    },
1217
    query => [
1218
     ( salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1),
1219
    ],
1220 1220
  );
1221 1221
}
1222 1222

  
SL/Controller/TopQuickSearch/Contact.pm
8 8
use SL::DBUtils qw(selectfirst_array_query like);
9 9
use SL::Locale::String qw(t8);
10 10

  
11
sub auth { 'customer_vendor_edit' }
11
sub auth { undef }
12 12

  
13 13
sub name { 'contact' }
14 14

  
SL/Controller/TopQuickSearch/Customer.pm
6 6

  
7 7
use SL::Locale::String qw(t8);
8 8

  
9
sub auth { 'customer_vendor_edit' }
9
sub auth { undef }
10 10

  
11 11
sub name { 'customer' }
12 12

  
SL/Controller/TopQuickSearch/Vendor.pm
6 6

  
7 7
use SL::Locale::String qw(t8);
8 8

  
9
sub auth { 'customer_vendor_edit' }
9
sub auth { undef }
10 10

  
11 11
sub name { 'vendor' }
12 12

  
bin/mozilla/ct.pl
76 76
sub search {
77 77
  $main::lxdebug->enter_sub();
78 78

  
79
  $main::auth->assert('customer_vendor_edit');
80

  
81 79
  my $form     = $main::form;
82 80
  my $locale   = $main::locale;
83 81

  
......
107 105

  
108 106
sub search_contact {
109 107
  $::lxdebug->enter_sub;
110
  $::auth->assert('customer_vendor_edit');
111 108

  
112 109
  $::form->{CUSTOM_VARIABLES}                  = CVar->get_configs('module' => 'Contacts');
113 110
  ($::form->{CUSTOM_VARIABLES_FILTER_CODE},
......
128 125
sub list_names {
129 126
  $main::lxdebug->enter_sub();
130 127

  
131
  $main::auth->assert('customer_vendor_edit');
132

  
133 128
  my $form     = $main::form;
134 129
  my %myconfig = %main::myconfig;
135 130
  my $locale   = $main::locale;
......
339 334

  
340 335
sub list_contacts {
341 336
  $::lxdebug->enter_sub;
342
  $::auth->assert('customer_vendor_edit');
343 337

  
344 338
  $::form->{sortdir} = 1 unless defined $::form->{sortdir};
345 339

  
locale/de/all
4058 4058
  'You do not have permission to access this entry.' => 'Sie verfügen nicht über die Berechtigung, auf diesen Eintrag zuzugreifen.',
4059 4059
  'You do not have the permissions to access this function.' => 'Sie verfügen nicht über die notwendigen Rechte, um auf diese Funktion zuzugreifen.',
4060 4060
  'You don\'t have the rights to edit this customer.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Kunden zu bearbeiten.',
4061
  'You don\'t have the rights to edit this vendor.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Lieferanten zu bearbeiten.',
4061 4062
  'You have changed the currency or exchange rate. Please check prices.' => 'Die Währung oder der Wechselkurs hat sich geändert. Bitte überprüfen Sie die Preise.',
4062 4063
  'You have entered or selected the following shipping address for this customer:' => 'Sie haben die folgende Lieferadresse eingegeben oder ausgewählt:',
4063 4064
  'You have never worked with currencies.' => 'Sie haben noch nie  mit Währungen gearbeitet.',
menus/user/00-erp.yaml
34 34
  name: Add Customer
35 35
  icon: customer_add
36 36
  order: 100
37
  access: customer_vendor_edit
37
  access: customer_vendor_edit|customer_vendor_all_edit
38 38
  params:
39 39
    action: CustomerVendor/add
40 40
    db: customer
......
43 43
  name: Add Vendor
44 44
  icon: vendor_add
45 45
  order: 200
46
  access: customer_vendor_edit
46
  access: customer_vendor_edit|customer_vendor_all_edit
47 47
  params:
48 48
    action: CustomerVendor/add
49 49
    db: vendor
......
121 121
  name: Customers
122 122
  icon: customer_report
123 123
  order: 100
124
  access: customer_vendor_edit
125 124
  params:
126 125
    action: CustomerVendor/search
127 126
    db: customer
......
130 129
  name: Vendors
131 130
  icon: vendor_report
132 131
  order: 200
133
  access: customer_vendor_edit
134 132
  params:
135 133
    action: CustomerVendor/search
136 134
    db: vendor
......
138 136
  id: master_data_reports_contacts
139 137
  name: Contacts
140 138
  order: 300
141
  access: customer_vendor_edit
142 139
  params:
143 140
    action: CustomerVendor/search_contact
144 141
    db: customer

Auch abrufbar als: Unified diff