Revision 3bb4190a
Von Moritz Bunkus vor mehr als 3 Jahren hinzugefügt
| SL/Auth.pm | ||
|---|---|---|
| 1229 | 1229 |
return $granted; |
| 1230 | 1230 |
} |
| 1231 | 1231 |
|
| 1232 |
sub deny_access {
|
|
| 1233 |
my ($self) = @_; |
|
| 1234 |
|
|
| 1235 |
$::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; |
|
| 1236 |
|
|
| 1237 |
delete $::form->{title};
|
|
| 1238 |
$::form->show_generic_error($::locale->text("You do not have the permissions to access this function."));
|
|
| 1239 |
} |
|
| 1240 |
|
|
| 1232 | 1241 |
sub assert {
|
| 1233 | 1242 |
my ($self, $right, $dont_abort) = @_; |
| 1234 | 1243 |
|
| ... | ... | |
| 1237 | 1246 |
} |
| 1238 | 1247 |
|
| 1239 | 1248 |
if (!$dont_abort) {
|
| 1240 |
$::dispatcher->reply_with_json_error(error => 'access') if $::request->type eq 'json'; |
|
| 1241 |
|
|
| 1242 |
delete $::form->{title};
|
|
| 1243 |
$::form->show_generic_error($::locale->text("You do not have the permissions to access this function."));
|
|
| 1249 |
$self->deny_access; |
|
| 1244 | 1250 |
} |
| 1245 | 1251 |
|
| 1246 | 1252 |
return 0; |
| SL/CT.pm | ||
|---|---|---|
| 244 | 244 |
push @values, $form->{create_zugferd_invoices};
|
| 245 | 245 |
} |
| 246 | 246 |
|
| 247 |
# Nur Kunden finden, bei denen ich selber der Verkäufer bin |
|
| 248 |
# Gilt nicht für Lieferanten |
|
| 249 |
if ($cv eq 'customer' && !$main::auth->assert('customer_vendor_all_edit', 1)) {
|
|
| 250 |
$where .= qq| AND ct.salesman_id = (select em.id from employee em where em.login = ?)|; |
|
| 251 |
push(@values, $::myconfig{login});
|
|
| 252 |
} |
|
| 253 |
|
|
| 254 | 247 |
my ($cvar_where, @cvar_values) = CVar->build_filter_query('module' => 'CT',
|
| 255 | 248 |
'trans_id_field' => 'ct.id', |
| 256 | 249 |
'filter' => $form); |
| SL/Controller/Customer.pm | ||
|---|---|---|
| 6 | 6 |
use SL::DB::Customer; |
| 7 | 7 |
use SL::JSON; |
| 8 | 8 |
|
| 9 |
# safety |
|
| 10 |
__PACKAGE__->run_before(sub { $::auth->assert('customer_vendor_edit') });
|
|
| 11 |
|
|
| 12 | 9 |
sub action_get_hourly_rate {
|
| 13 | 10 |
my ($self, %params) = @_; |
| 14 | 11 |
|
| SL/Controller/CustomerVendor.pm | ||
|---|---|---|
| 41 | 41 |
use Data::Dumper; |
| 42 | 42 |
|
| 43 | 43 |
use Rose::Object::MakeMethods::Generic ( |
| 44 |
scalar => [ qw(user_has_edit_rights) ], |
|
| 44 | 45 |
'scalar --get_set_init' => [ qw(customer_models vendor_models zugferd_settings) ], |
| 45 | 46 |
); |
| 46 | 47 |
|
| 47 | 48 |
# safety |
| 48 |
__PACKAGE__->run_before( |
|
| 49 |
sub {
|
|
| 50 |
$::auth->assert('customer_vendor_edit');
|
|
| 51 |
}, |
|
| 52 |
except => [ qw(ajaj_autocomplete) ], |
|
| 53 |
); |
|
| 54 | 49 |
__PACKAGE__->run_before( |
| 55 | 50 |
'_instantiate_args', |
| 56 | 51 |
only => [ |
| ... | ... | |
| 81 | 76 |
); |
| 82 | 77 |
|
| 83 | 78 |
# make sure this comes after _load_customer_vendor |
| 84 |
__PACKAGE__->run_before( |
|
| 85 |
'_check_customer_vendor_all_edit', |
|
| 86 |
only => [ |
|
| 87 |
'edit', |
|
| 88 |
'show', |
|
| 89 |
'update', |
|
| 90 |
'delete', |
|
| 91 |
'save', |
|
| 92 |
'save_and_ap_transaction', |
|
| 93 |
'save_and_ar_transaction', |
|
| 94 |
'save_and_close', |
|
| 95 |
'save_and_invoice', |
|
| 96 |
'save_and_order', |
|
| 97 |
'save_and_quotation', |
|
| 98 |
'save_and_rfq', |
|
| 99 |
'delete', |
|
| 100 |
'delete_contact', |
|
| 101 |
'delete_shipto', |
|
| 102 |
] |
|
| 103 |
); |
|
| 79 |
__PACKAGE__->run_before('_check_auth');
|
|
| 104 | 80 |
|
| 105 | 81 |
__PACKAGE__->run_before( |
| 106 | 82 |
'_create_customer_vendor', |
| ... | ... | |
| 656 | 632 |
if (1 == scalar @{ $exact_matches = $manager->get_all(
|
| 657 | 633 |
query => [ |
| 658 | 634 |
obsolete => 0, |
| 659 |
(salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1),
|
|
| 660 | 635 |
or => [ |
| 661 | 636 |
name => { ilike => $::form->{filter}{'all:substr:multi::ilike'} },
|
| 662 | 637 |
$number => { ilike => $::form->{filter}{'all:substr:multi::ilike'} },
|
| ... | ... | |
| 912 | 887 |
} |
| 913 | 888 |
} |
| 914 | 889 |
|
| 915 |
sub _check_customer_vendor_all_edit {
|
|
| 916 |
my ($self) = @_;
|
|
| 890 |
sub _may_access_action {
|
|
| 891 |
my ($self, $action) = @_;
|
|
| 917 | 892 |
|
| 918 |
unless ($::auth->assert('customer_vendor_all_edit', 1)) {
|
|
| 919 |
die($::locale->text("You don't have the rights to edit this customer.") . "\n")
|
|
| 920 |
if $self->{cv}->is_customer and
|
|
| 921 |
SL::DB::Manager::Employee->current->id != $self->{cv}->salesman_id;
|
|
| 922 |
}; |
|
| 923 |
}; |
|
| 893 |
my $is_new = !$self->{cv} || !$self->{cv}->id;
|
|
| 894 |
my $is_own_customer = !$is_new |
|
| 895 |
&& $self->{cv}->is_customer
|
|
| 896 |
&& (SL::DB::Manager::Employee->current->id == $self->{cv}->salesman_id);
|
|
| 897 |
my $has_edit_rights = $::auth->assert('customer_vendor_all_edit', 1);
|
|
| 898 |
$has_edit_rights ||= $::auth->assert('customer_vendor_edit', 1) && ($is_new || $is_own_customer);
|
|
| 899 |
my $needs_edit_rights = $action =~ m{^(?:add|save|delete|update)};
|
|
| 900 |
|
|
| 901 |
$self->user_has_edit_rights($has_edit_rights); |
|
| 902 |
|
|
| 903 |
return 1 if $has_edit_rights; |
|
| 904 |
return 0 if $needs_edit_rights; |
|
| 905 |
return 1; |
|
| 906 |
} |
|
| 907 |
|
|
| 908 |
sub _check_auth {
|
|
| 909 |
my ($self, $action) = @_; |
|
| 910 |
|
|
| 911 |
if (!$self->_may_access_action($action)) {
|
|
| 912 |
$::auth->deny_access; |
|
| 913 |
} |
|
| 914 |
} |
|
| 924 | 915 |
|
| 925 | 916 |
sub _create_customer_vendor {
|
| 926 | 917 |
my ($self) = @_; |
| ... | ... | |
| 1075 | 1066 |
sub _setup_form_action_bar {
|
| 1076 | 1067 |
my ($self) = @_; |
| 1077 | 1068 |
|
| 1069 |
my $no_rights = $self->user_has_edit_rights ? undef |
|
| 1070 |
: $self->{cv}->is_customer ? t8("You don't have the rights to edit this customer.")
|
|
| 1071 |
: t8("You don't have the rights to edit this vendor.");
|
|
| 1072 |
|
|
| 1078 | 1073 |
for my $bar ($::request->layout->get('actionbar')) {
|
| 1079 | 1074 |
$bar->add( |
| 1080 | 1075 |
combobox => [ |
| ... | ... | |
| 1083 | 1078 |
submit => [ '#form', { action => "CustomerVendor/save" } ],
|
| 1084 | 1079 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1085 | 1080 |
accesskey => 'enter', |
| 1081 |
disabled => $no_rights, |
|
| 1086 | 1082 |
], |
| 1087 | 1083 |
action => [ |
| 1088 | 1084 |
t8('Save and Close'),
|
| 1089 | 1085 |
submit => [ '#form', { action => "CustomerVendor/save_and_close" } ],
|
| 1090 | 1086 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1087 |
disabled => $no_rights, |
|
| 1091 | 1088 |
], |
| 1092 | 1089 |
], # end of combobox "Save" |
| 1093 | 1090 |
|
| ... | ... | |
| 1097 | 1094 |
t8('Save and AP Transaction'),
|
| 1098 | 1095 |
submit => [ '#form', { action => "CustomerVendor/save_and_ap_transaction" } ],
|
| 1099 | 1096 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1097 |
disabled => $no_rights, |
|
| 1100 | 1098 |
]) x !!$self->is_vendor, |
| 1101 | 1099 |
(action => [ |
| 1102 | 1100 |
t8('Save and AR Transaction'),
|
| 1103 | 1101 |
submit => [ '#form', { action => "CustomerVendor/save_and_ar_transaction" } ],
|
| 1104 | 1102 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1103 |
disabled => $no_rights, |
|
| 1105 | 1104 |
]) x !$self->is_vendor, |
| 1106 | 1105 |
action => [ |
| 1107 | 1106 |
t8('Save and Invoice'),
|
| 1108 | 1107 |
submit => [ '#form', { action => "CustomerVendor/save_and_invoice" } ],
|
| 1109 | 1108 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1109 |
disabled => $no_rights, |
|
| 1110 | 1110 |
], |
| 1111 | 1111 |
action => [ |
| 1112 | 1112 |
t8('Save and Order'),
|
| 1113 | 1113 |
submit => [ '#form', { action => "CustomerVendor/save_and_order" } ],
|
| 1114 | 1114 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1115 |
disabled => $no_rights, |
|
| 1115 | 1116 |
], |
| 1116 | 1117 |
(action => [ |
| 1117 | 1118 |
t8('Save and RFQ'),
|
| 1118 | 1119 |
submit => [ '#form', { action => "CustomerVendor/save_and_rfq" } ],
|
| 1119 | 1120 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1121 |
disabled => $no_rights, |
|
| 1120 | 1122 |
]) x !!$self->is_vendor, |
| 1121 | 1123 |
(action => [ |
| 1122 | 1124 |
t8('Save and Quotation'),
|
| 1123 | 1125 |
submit => [ '#form', { action => "CustomerVendor/save_and_quotation" } ],
|
| 1124 | 1126 |
checks => [ 'check_taxzone_and_ustid' ], |
| 1127 |
disabled => $no_rights, |
|
| 1125 | 1128 |
]) x !$self->is_vendor, |
| 1126 | 1129 |
], # end of combobox "Workflow" |
| 1127 | 1130 |
|
| ... | ... | |
| 1131 | 1134 |
confirm => t8('Do you really want to delete this object?'),
|
| 1132 | 1135 |
disabled => !$self->{cv}->id ? t8('This object has not been saved yet.')
|
| 1133 | 1136 |
: !$self->is_orphaned ? t8('This object has already been used.')
|
| 1134 |
: undef,
|
|
| 1137 |
: $no_rights,
|
|
| 1135 | 1138 |
], |
| 1136 | 1139 |
|
| 1137 | 1140 |
'separator', |
| ... | ... | |
| 1214 | 1217 |
}, |
| 1215 | 1218 |
customernumber => t8('Customer Number'),
|
| 1216 | 1219 |
}, |
| 1217 |
query => [ |
|
| 1218 |
( salesman_id => SL::DB::Manager::Employee->current->id) x !$::auth->assert('customer_vendor_all_edit', 1),
|
|
| 1219 |
], |
|
| 1220 | 1220 |
); |
| 1221 | 1221 |
} |
| 1222 | 1222 |
|
| SL/Controller/TopQuickSearch/Contact.pm | ||
|---|---|---|
| 8 | 8 |
use SL::DBUtils qw(selectfirst_array_query like); |
| 9 | 9 |
use SL::Locale::String qw(t8); |
| 10 | 10 |
|
| 11 |
sub auth { 'customer_vendor_edit' }
|
|
| 11 |
sub auth { undef }
|
|
| 12 | 12 |
|
| 13 | 13 |
sub name { 'contact' }
|
| 14 | 14 |
|
| SL/Controller/TopQuickSearch/Customer.pm | ||
|---|---|---|
| 6 | 6 |
|
| 7 | 7 |
use SL::Locale::String qw(t8); |
| 8 | 8 |
|
| 9 |
sub auth { 'customer_vendor_edit' }
|
|
| 9 |
sub auth { undef }
|
|
| 10 | 10 |
|
| 11 | 11 |
sub name { 'customer' }
|
| 12 | 12 |
|
| SL/Controller/TopQuickSearch/Vendor.pm | ||
|---|---|---|
| 6 | 6 |
|
| 7 | 7 |
use SL::Locale::String qw(t8); |
| 8 | 8 |
|
| 9 |
sub auth { 'customer_vendor_edit' }
|
|
| 9 |
sub auth { undef }
|
|
| 10 | 10 |
|
| 11 | 11 |
sub name { 'vendor' }
|
| 12 | 12 |
|
| bin/mozilla/ct.pl | ||
|---|---|---|
| 76 | 76 |
sub search {
|
| 77 | 77 |
$main::lxdebug->enter_sub(); |
| 78 | 78 |
|
| 79 |
$main::auth->assert('customer_vendor_edit');
|
|
| 80 |
|
|
| 81 | 79 |
my $form = $main::form; |
| 82 | 80 |
my $locale = $main::locale; |
| 83 | 81 |
|
| ... | ... | |
| 107 | 105 |
|
| 108 | 106 |
sub search_contact {
|
| 109 | 107 |
$::lxdebug->enter_sub; |
| 110 |
$::auth->assert('customer_vendor_edit');
|
|
| 111 | 108 |
|
| 112 | 109 |
$::form->{CUSTOM_VARIABLES} = CVar->get_configs('module' => 'Contacts');
|
| 113 | 110 |
($::form->{CUSTOM_VARIABLES_FILTER_CODE},
|
| ... | ... | |
| 128 | 125 |
sub list_names {
|
| 129 | 126 |
$main::lxdebug->enter_sub(); |
| 130 | 127 |
|
| 131 |
$main::auth->assert('customer_vendor_edit');
|
|
| 132 |
|
|
| 133 | 128 |
my $form = $main::form; |
| 134 | 129 |
my %myconfig = %main::myconfig; |
| 135 | 130 |
my $locale = $main::locale; |
| ... | ... | |
| 339 | 334 |
|
| 340 | 335 |
sub list_contacts {
|
| 341 | 336 |
$::lxdebug->enter_sub; |
| 342 |
$::auth->assert('customer_vendor_edit');
|
|
| 343 | 337 |
|
| 344 | 338 |
$::form->{sortdir} = 1 unless defined $::form->{sortdir};
|
| 345 | 339 |
|
| locale/de/all | ||
|---|---|---|
| 4058 | 4058 |
'You do not have permission to access this entry.' => 'Sie verfügen nicht über die Berechtigung, auf diesen Eintrag zuzugreifen.', |
| 4059 | 4059 |
'You do not have the permissions to access this function.' => 'Sie verfügen nicht über die notwendigen Rechte, um auf diese Funktion zuzugreifen.', |
| 4060 | 4060 |
'You don\'t have the rights to edit this customer.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Kunden zu bearbeiten.', |
| 4061 |
'You don\'t have the rights to edit this vendor.' => 'Sie verfügen nicht über die erforderlichen Rechte, um diesen Lieferanten zu bearbeiten.', |
|
| 4061 | 4062 |
'You have changed the currency or exchange rate. Please check prices.' => 'Die Währung oder der Wechselkurs hat sich geändert. Bitte überprüfen Sie die Preise.', |
| 4062 | 4063 |
'You have entered or selected the following shipping address for this customer:' => 'Sie haben die folgende Lieferadresse eingegeben oder ausgewählt:', |
| 4063 | 4064 |
'You have never worked with currencies.' => 'Sie haben noch nie mit Währungen gearbeitet.', |
| menus/user/00-erp.yaml | ||
|---|---|---|
| 34 | 34 |
name: Add Customer |
| 35 | 35 |
icon: customer_add |
| 36 | 36 |
order: 100 |
| 37 |
access: customer_vendor_edit |
|
| 37 |
access: customer_vendor_edit|customer_vendor_all_edit
|
|
| 38 | 38 |
params: |
| 39 | 39 |
action: CustomerVendor/add |
| 40 | 40 |
db: customer |
| ... | ... | |
| 43 | 43 |
name: Add Vendor |
| 44 | 44 |
icon: vendor_add |
| 45 | 45 |
order: 200 |
| 46 |
access: customer_vendor_edit |
|
| 46 |
access: customer_vendor_edit|customer_vendor_all_edit
|
|
| 47 | 47 |
params: |
| 48 | 48 |
action: CustomerVendor/add |
| 49 | 49 |
db: vendor |
| ... | ... | |
| 121 | 121 |
name: Customers |
| 122 | 122 |
icon: customer_report |
| 123 | 123 |
order: 100 |
| 124 |
access: customer_vendor_edit |
|
| 125 | 124 |
params: |
| 126 | 125 |
action: CustomerVendor/search |
| 127 | 126 |
db: customer |
| ... | ... | |
| 130 | 129 |
name: Vendors |
| 131 | 130 |
icon: vendor_report |
| 132 | 131 |
order: 200 |
| 133 |
access: customer_vendor_edit |
|
| 134 | 132 |
params: |
| 135 | 133 |
action: CustomerVendor/search |
| 136 | 134 |
db: vendor |
| ... | ... | |
| 138 | 136 |
id: master_data_reports_contacts |
| 139 | 137 |
name: Contacts |
| 140 | 138 |
order: 300 |
| 141 |
access: customer_vendor_edit |
|
| 142 | 139 |
params: |
| 143 | 140 |
action: CustomerVendor/search_contact |
| 144 | 141 |
db: customer |
Auch abrufbar als: Unified diff
Kunden-/Lieferantenstammdaten: Berechtigungsmodell gefixt
Neues Modell sieht wie folgt aus:
1. Alle Personen haben Leserechte auf alle Kunden- &
Lieferantenstammdaten. Das betrifft nicht nur die Stammdatenmasken,
sondern auch die AJAJ-Autovervollständigung (Kunden-/
Lieferanten-Picker) oder die Detail-Popup-Fenster in Einkaufs-/
Verkaufsbelegmasken.
2. Personen mit »edit«-Recht aber ohne »edit all«-Recht dürfen nur die
eigenen Kundenstammdaten verändern (speichern/löschen), wobei
»eigen« definiert ist als »aktuelle Person ist Verkäufer*in des
Kunden«. Neue Kunden dürfen angelegt werden. Bei Lieferanten dürfen
hingegen alle Stammdaten bearbeitet werden.
3. Personen mit »edit all«-Recht haben Vollzugriff auf alle Kunden- &
Lieferantenstammdaten.