Bug 24157: Handle the case where logged in user does not have edit_invoices

This patch make possible the reopening and merging of invoices even if
the logged in user does not have the edit_invoices permission

I don't think it really makes sense but at least it's now possible.

Signed-off-by: Alex Arnaud <alex.arnaud@biblibre.com>

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>

diff --git a/acqui/invoice.pl b/acqui/invoice.pl
index 00f5ff2..fa6dc26 100755 (executable)
--- a/acqui/invoice.pl
+++ b/acqui/invoice.pl
@@ -58,7 +58,10 @@ my $op        = $input->param('op');
 
 output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
   if $op
-  && not $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } );
+  && ! $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } )
+  && ! $logged_in_patron->has_permission( { acquisition => 'reopen_closed_invoices' } )
+  && ! $logged_in_patron->has_permission( { acquisition => 'merge_invoices' } )
+  && ! $logged_in_patron->has_permission( { acquisition => 'delete_invoices' } );
 
 my $invoice_files;
 if ( C4::Context->preference('AcqEnableFiles') ) {
@@ -67,6 +70,8 @@ if ( C4::Context->preference('AcqEnableFiles') ) {
 }
 
 if ( $op && $op eq 'close' ) {
+    output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
+        unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } );
     CloseInvoice($invoiceid);
     my $referer = $input->param('referer');
     if ($referer) {
@@ -101,6 +106,10 @@ elsif ( $op && $op eq 'mod' ) {
         ReopenInvoice($invoiceid)
             if $logged_in_patron->has_permission( { acquisition => 'reopen_closed_invoices' } );
     } elsif ($input->param('close')) {
+
+        output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
+            unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } );
+
         CloseInvoice($invoiceid);
     } elsif ($input->param('merge')) {
 
@@ -127,11 +136,19 @@ elsif ( $op && $op eq 'delete' ) {
     }
 }
 elsif ( $op && $op eq 'del_adj' ) {
+
+    output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
+        unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } );
+
     my $adjustment_id  = $input->param('adjustment_id');
     my $del_adj = Koha::Acquisition::Invoice::Adjustments->find( $adjustment_id );
     $del_adj->delete() if ($del_adj);
 }
 elsif ( $op && $op eq 'mod_adj' ) {
+
+    output_and_exit( $input, $cookie, $template, 'insufficient_permission' )
+        unless $logged_in_patron->has_permission( { acquisition => 'edit_invoices' } );
+
     my @adjustment_id  = $input->multi_param('adjustment_id');
     my @adjustment     = $input->multi_param('adjustment');
     my @reason         = $input->multi_param('reason');

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt
index 1036798..2348004 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoice.tt
@@ -24,6 +24,8 @@
         <div class="col-sm-10 col-sm-push-2">
             <main>
 
+                [% INCLUDE 'blocking_errors.inc' %]
+
       [% IF ( modified ) %]
         <div class="dialog message">
           <p>Invoice has been modified</p>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt
index 57aeb27..4536842 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/acqui/invoices.tt
@@ -20,6 +20,8 @@
         <div class="col-sm-10 col-sm-push-2">
             <main>
 
+                [% INCLUDE 'blocking_errors.inc' %]
+
       <h1>Invoices</h1>
       [% IF ( do_search ) %]
         [% IF invoices %]