Koha/acqui/booksellers.pl
Robin Sheat 9966d218ae Bug 6824 - correctly check basket viewing permissions
Previously you couldn't view baskets that you hadn't created, unless you
were superlibrarian due to a bug. Now people with the right permissions
can see the baskets.

Applies to both 3.04.04 and master.

Signed-off-by: Brendan <info@bywatersolutions.com>
Signed-off-by: Melia Meggs <melia@bywatersolutions.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
2011-09-23 11:47:25 +12:00

150 lines
4.1 KiB
Perl
Executable file

#!/usr/bin/perl
#script to show suppliers and orders
# Copyright 2000-2002 Katipo Communications
# Copyright 2008-2009 BibLibre SARL
# Copyright 2010 PTFS Europe
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it under the
# terms of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
#
# Koha is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with Koha; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
=head1 NAME
booksellers.pl
=head1 DESCRIPTION
this script displays the list of suppliers & baskets like C<$supplier> given on input arg.
thus, this page brings differents features like to display supplier's details,
to add an order for a specific supplier or to just add a new supplier.
=head1 CGI PARAMETERS
=over 4
=item supplier
C<$supplier> is the string with which we search for a supplier
=back
=item id or supplierid
The id of the supplier whose baskets we will display
=back
=cut
use strict;
use warnings;
use C4::Auth;
use C4::Biblio;
use C4::Output;
use CGI;
use C4::Dates qw/format_date/;
use C4::Bookseller qw/ GetBookSellerFromId GetBookSeller /;
use C4::Members qw/GetMember/;
my $query = CGI->new;
my ( $template, $loggedinuser, $cookie ) = get_template_and_user(
{ template_name => 'acqui/booksellers.tmpl',
query => $query,
type => 'intranet',
authnotrequired => 0,
flagsrequired => { acquisition => '*' },
debug => 1,
}
);
#parameters
my $supplier = $query->param('supplier');
my $id = $query->param('id') || $query->param('supplierid');
my @suppliers;
if ($id) {
push @suppliers, GetBookSellerFromId($id);
} else {
@suppliers = GetBookSeller($supplier);
}
my $supplier_count = @suppliers;
if ( $supplier_count == 1 ) {
$template->param(
supplier_name => $suppliers[0]->{'name'},
id => $suppliers[0]->{'id'}
);
}
my $uid;
if ($loggedinuser) {
$uid = GetMember( borrowernumber => $loggedinuser )->{userid};
}
#build result page
my $loop_suppliers = [];
for my $vendor (@suppliers) {
my $baskets = get_vendors_baskets( $vendor->{id} );
my $loop_basket = [];
for my $basket ( @{$baskets} ) {
if (( $basket->{authorisedby}
&& $basket->{authorisedby} eq $loggedinuser
)
|| haspermission( $uid, { acquisition => q{*} } )
) {
for my $date_field (qw( creationdate closedate)) {
if ( $basket->{$date_field} ) {
$basket->{$date_field} =
format_date( $basket->{$date_field} );
}
}
push @{$loop_basket}, $basket;
}
}
push @{$loop_suppliers},
{ loop_basket => $loop_basket,
supplierid => $vendor->{id},
name => $vendor->{name},
active => $vendor->{active},
};
}
$template->param(
loop_suppliers => $loop_suppliers,
supplier => ( $id || $supplier ),
count => $supplier_count,
);
output_html_with_http_headers $query, $cookie, $template->output;
sub get_vendors_baskets {
my $supplier_id = shift;
my $dbh = C4::Context->dbh;
my $sql = <<'ENDSQL';
select aqbasket.*, count(*) as total, borrowers.firstname, borrowers.surname
from aqbasket left join aqorders on aqorders.basketno = aqbasket.basketno
left join borrowers on aqbasket.authorisedby = borrowers.borrowernumber
where booksellerid = ?
AND ( aqorders.quantity > aqorders.quantityreceived OR quantityreceived IS NULL)
AND datecancellationprinted IS NULL
group by basketno
ENDSQL
return $dbh->selectall_arrayref( $sql, { Slice => {} }, $supplier_id );
}