Prevent approving draft transaction by user who don't have permission

ledgersmb · Sep 14, 2021 · 7f1c4fb · 7f1c4fb
1 parent 2fd0372
commit 7f1c4fb
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 18 deletions.
diff --git a/old/bin/aa.pl b/old/bin/aa.pl
@@ -949,7 +949,8 @@ sub form_footer {
             $hold_text = $locale->text('On Hold');
         }
 
-
+# REMARK: According to the check below, post_as_new and delete button never render
+# Why post_as_new and delete are exist?
         %button = (
             'update' => { ndx => 1, key => 'U', value => $locale->text('Update') },
             'copy_to_new' => { ndx => 2, key => 'C', value => $locale->text('Copy to New') },
@@ -979,6 +980,10 @@ sub form_footer {
            if (!$form->is_allowed_role(['draft_modify'])){
                delete $button{edit_and_save};
            }
+# Approve button should not render if user don't have permission
+           if (!$form->is_allowed_role(['draft_post'])) {
+             delete $button{approve};
+           }
            delete $button{post_as_new};
            delete $button{post};
         }
@@ -993,9 +998,10 @@ sub form_footer {
             $form->hide_form('separate_duties');
         }
         if ( $form->{id}) {
-            for ( "post","delete" ) {
+            for ( "post", "delete", "post_as_new" ) {
                 delete $button{$_};
             }
+            delete $button{'update'} unless $is_draft;
         }
         elsif (!$form->{id}) {
 
@@ -1010,12 +1016,6 @@ sub form_footer {
                 }
             }
         }
-        if ($form->{id}){
-            for ( "post_as_new"){
-               delete $button{$_};
-            }
-            delete $button{'update'} unless $is_draft;
-        }
 
         if (defined $button{'print'}) {
             # Don't show the print selectors, if there's no "Print" button

diff --git a/old/bin/gl.pl b/old/bin/gl.pl
@@ -265,8 +265,13 @@ sub display_form
               $a{$_} = 1;
           }
           if (!$form->{approved} && !$form->{batch_id}) {
-              $a{approve} = 1;
-              $a{edit_and_save} = 1;
+            #   Need to check for draft_modify and draft_post
+            if ($form->is_allowed_role(['draft_post'])) {
+                $a{approve} = 1;
+            }
+            if ($form->is_allowed_role(['draft_modify'])) {
+                $a{edit_and_save} = 1;
+            }
               $a{update} = 1;
           }
       } else {

diff --git a/old/bin/ir.pl b/old/bin/ir.pl
@@ -551,10 +551,12 @@ sub form_header {
             my $is_draft = 0;
             if (!$form->{approved}){
                $is_draft = 1;
-               $button{approve} = {
-                       ndx   => 3,
-                       key   => 'O',
-                       value => $locale->text('Post') };
+               if ($form->is_allowed_role(['draft_post'])) {
+                 $button{approve} = {
+                   ndx   => 3,
+                   key   => 'O',
+                   value => $locale->text('Post') };
+               }
                if ($form->is_allowed_role(['draft_modify'])){
                    $button{edit_and_save} = {
                        ndx   => 4,

diff --git a/old/bin/is.pl b/old/bin/is.pl
@@ -620,10 +620,12 @@ sub form_header {
             if (!$form->{approved} && !$form->{batch_id}){
                if (!$form->{batch_id}){
                    $is_draft = 1;
-                   $button{approve} = {
-                       ndx   => 3,
-                       key   => 'O',
-                       value => $locale->text('Post') };
+                   if ($form->is_allowed_role(['draft_post'])) {
+                       $button{approve} = {
+                           ndx   => 3,
+                           key   => 'O',
+                           value => $locale->text('Post') };
+                   }
                    if ($form->is_allowed_role(['draft_modify'])){
                        $button{edit_and_save} = {
                            ndx   => 4,