From 5aba38fdaec2958a23f0ccaa57b4c951af1244ce Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 24 Jul 2020 13:03:31 +0200 Subject: [PATCH] Bug 24157: Handle the case where logged in user does not have edit_invoices This patch make possible the reopening and merging of invoices even if the logged in user does not have the edit_invoices permission I don't think it really makes sense but at least it's now possible. Signed-off-by: Alex Arnaud Signed-off-by: Jonathan Druart --- acqui/invoice.pl | 19 ++++++++++++++++++- .../prog/en/modules/acqui/invoice.tt | 2 ++ .../prog/en/modules/acqui/invoices.tt | 2 ++ 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/acqui/invoice.pl b/acqui/invoice.pl index 00f5ff2bb0..fa6dc26c1e 100755 --- a/acqui/invoice.pl +++ b/acqui/invoice.pl @@ -58,7 +58,10 @@ my $op = $input->param('op'); output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) if $op - && not $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ); + && ! $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ) + && ! $logged_in_patron->has_permission( { acquisition => 'reopen_closed_invoices' } ) + && ! $logged_in_patron->has_permission( { acquisition => 'merge_invoices' } ) + && ! $logged_in_patron->has_permission( { acquisition => 'delete_invoices' } ); my $invoice_files; if ( C4::Context->preference('AcqEnableFiles') ) { @@ -67,6 +70,8 @@ if ( C4::Context->preference('AcqEnableFiles') ) { } if ( $op && $op eq 'close' ) { + output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) + unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ); CloseInvoice($invoiceid); my $referer = $input->param('referer'); if ($referer) { @@ -101,6 +106,10 @@ elsif ( $op && $op eq 'mod' ) { ReopenInvoice($invoiceid) if $logged_in_patron->has_permission( { acquisition => 'reopen_closed_invoices' } ); } elsif ($input->param('close')) { + + output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) + unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ); + CloseInvoice($invoiceid); } elsif ($input->param('merge')) { @@ -127,11 +136,19 @@ elsif ( $op && $op eq 'delete' ) { } } elsif ( $op && $op eq 'del_adj' ) { + + output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) + unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ); + my $adjustment_id = $input->param('adjustment_id'); my $del_adj = Koha::Acquisition::Invoice::Adjustments->find( $adjustment_id ); $del_adj->delete() if ($del_adj); } elsif ( $op && $op eq 'mod_adj' ) { + + output_and_exit( $input, $cookie, $template, 'insufficient_permission' ) + unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } ); + my @adjustment_id = $input->multi_param('adjustment_id'); my @adjustment = $input->multi_param('adjustment'); my @reason = $input->multi_param('reason'); diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt index 10367982ba..2348004cd6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt @@ -24,6 +24,8 @@
+ [% INCLUDE 'blocking_errors.inc' %] + [% IF ( modified ) %]

Invoice has been modified

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt index 57aeb2749b..4536842f41 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt @@ -20,6 +20,8 @@
+ [% INCLUDE 'blocking_errors.inc' %] +

Invoices

[% IF ( do_search ) %] [% IF invoices %] -- 2.39.5