- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+ Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
by {{voucher.Poster}}
\ No newline at end of file
diff --git a/brewman/brewman/static/partial/journal.html b/brewman/brewman/static/partial/journal.html
index 9f36d3f5..c4e5d397 100644
--- a/brewman/brewman/static/partial/journal.html
+++ b/brewman/brewman/static/partial/journal.html
@@ -69,18 +69,18 @@
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+ Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
by {{voucher.Poster}}
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+ Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
by {{voucher.Poster}}
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}.
+ Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}.
Posted
by {{voucher.Poster}}
- Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+ Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
by {{voucher.Poster}}
diff --git a/brewman/brewman/static/scripts/issue.js b/brewman/brewman/static/scripts/issue.js
index f73cb8cc..ee0d087e 100644
--- a/brewman/brewman/static/scripts/issue.js
+++ b/brewman/brewman/static/scripts/issue.js
@@ -115,6 +115,18 @@
});
};
+ $scope.preventAlteration = function (voucher) {
+ if (typeof voucher.VoucherID === 'undefined') {
+ return !$scope.perms['Issue'];
+ } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+ return true;
+ } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+ return true;
+ } else {
+ return false;
+ }
+ };
+
$scope.get = function (voucherid) {
$scope.voucher = Voucher.get({id:voucherid}, function (u, putResponseHeaders) {
$location.path('/Issue/' + u.VoucherID);
diff --git a/brewman/brewman/static/scripts/journal.js b/brewman/brewman/static/scripts/journal.js
index d76b8bf8..f151859d 100644
--- a/brewman/brewman/static/scripts/journal.js
+++ b/brewman/brewman/static/scripts/journal.js
@@ -1,10 +1,5 @@
-function JournalCtrl($scope, $routeParams, $location, Voucher) {
- if (typeof $routeParams.id === 'undefined'){
- $scope.voucher = Voucher.get({type:'Journal'});
- } else {
- $scope.voucher = Voucher.get({id:$routeParams.id});
- }
-
+function JournalCtrl($scope, $location, voucher) {
+ $scope.voucher = voucher;
$scope.name = '';
$scope.debit = 1;
$scope.addJournal = function () {
@@ -45,6 +40,18 @@
$scope.amount = Math.abs(amount);
}, true);
+ $scope.preventAlteration = function (voucher) {
+ if (typeof voucher.VoucherID === 'undefined') {
+ return !$scope.perms['Journal'];
+ } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+ return true;
+ } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+ return true;
+ } else {
+ return false;
+ }
+ };
+
$scope.get = function (voucherid) {
$scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
$scope.toasts.push({Type:'Success', Message:u.Code});
@@ -79,3 +86,23 @@
});
};
}
+
+JournalCtrl.resolve = {
+ voucher:function ($q, $route, Voucher) {
+ var deferred = $q.defer();
+
+ var id = $route.current.params.id;
+
+ var successCb = function (result) {
+ deferred.resolve(result);
+ };
+
+ if (typeof id === 'undefined') {
+ Voucher.get({type:'Journal'}, successCb);
+ } else {
+ Voucher.get({id:id}, successCb);
+ }
+ return deferred.promise;
+ }
+
+}
\ No newline at end of file
diff --git a/brewman/brewman/static/scripts/overlord.js b/brewman/brewman/static/scripts/overlord.js
index 1ff13de1..9c807e1a 100644
--- a/brewman/brewman/static/scripts/overlord.js
+++ b/brewman/brewman/static/scripts/overlord.js
@@ -7,8 +7,8 @@ var overlord = angular.module('overlord', ['overlord.directive', 'overlord.filte
when('/login', {templateUrl:'/partial/login.html', controller:LoginCtrl}).
when('/logout', {templateUrl:'/partial/home.html', controller:LogoutCtrl}).
- when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl}).
- when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl}).
+ when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}).
+ when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}).
when('/Payment', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}).
when('/Payment/:id', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}).
diff --git a/brewman/brewman/static/scripts/payment.js b/brewman/brewman/static/scripts/payment.js
index 619c6acb..cab9af63 100644
--- a/brewman/brewman/static/scripts/payment.js
+++ b/brewman/brewman/static/scripts/payment.js
@@ -51,6 +51,18 @@
}
}, true);
+ $scope.preventAlteration = function (voucher) {
+ if (typeof voucher.VoucherID === 'undefined') {
+ return !$scope.perms['Payment'];
+ } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+ return true;
+ } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+ return true;
+ } else {
+ return false;
+ }
+ };
+
$scope.get = function (voucherid) {
$scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
$scope.toasts.push({Type:'Success', Message:u.Code});
diff --git a/brewman/brewman/static/scripts/purchase.js b/brewman/brewman/static/scripts/purchase.js
index 5ddc6225..ad8f490c 100644
--- a/brewman/brewman/static/scripts/purchase.js
+++ b/brewman/brewman/static/scripts/purchase.js
@@ -62,6 +62,18 @@
}
}, true);
+ $scope.preventAlteration = function (voucher) {
+ if (typeof voucher.VoucherID === 'undefined') {
+ return !$scope.perms['Purchase'];
+ } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+ return true;
+ } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+ return true;
+ } else {
+ return false;
+ }
+ };
+
$scope.get = function (voucherid) {
$scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
$scope.toasts.push({Type:'Success', Message:u.Code});
diff --git a/brewman/brewman/static/scripts/receipt.js b/brewman/brewman/static/scripts/receipt.js
index 3c497119..a43f8299 100644
--- a/brewman/brewman/static/scripts/receipt.js
+++ b/brewman/brewman/static/scripts/receipt.js
@@ -51,6 +51,18 @@
}
}, true);
+ $scope.preventAlteration = function (voucher) {
+ if (typeof voucher.VoucherID === 'undefined') {
+ return !$scope.perms['Receipt'];
+ } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+ return true;
+ } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+ return true;
+ } else {
+ return false;
+ }
+ };
+
$scope.get = function (voucherid) {
$scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
$scope.toasts.push({Type:'Success', Message:u.Code});
diff --git a/brewman/brewman/views/services/session.py b/brewman/brewman/views/services/session.py
index 4aca86b0..9712ddc8 100644
--- a/brewman/brewman/views/services/session.py
+++ b/brewman/brewman/views/services/session.py
@@ -36,7 +36,7 @@ def user_permission(request):
auth = {'isAuthenticated': False, 'perms': {}}
else:
user = User.get_by_id(uuid.UUID(user_id))
- auth = {'isAuthenticated': True, 'Name': user.name}
+ auth = {'isAuthenticated': True, 'Name': user.name, 'UserID': user.id}
session_perms = request.session['perms']
perms = {}
for item in Role.list():
diff --git a/brewman/brewman/views/services/voucher/__init__.py b/brewman/brewman/views/services/voucher/__init__.py
index f69d5806..b8c228d2 100644
--- a/brewman/brewman/views/services/voucher/__init__.py
+++ b/brewman/brewman/views/services/voucher/__init__.py
@@ -32,10 +32,30 @@ def voucher_post(request):
return response
+def check_delete_permissions(request, voucher):
+ user = User.get_by_id(uuid.UUID(authenticated_userid(request)))
+ permissions = request.session['perms']
+ if voucher.posted and not 'Edit Posted Vouchers' in permissions:
+ response = Response("You are not allowed to edit posted vouchers")
+ response.status_int = 403
+ return response
+ elif voucher.user_id != user.id and "Edit Other User's Vouchers" not in permissions:
+ response = Response("You are not allowed to edit other user's vouchers")
+ response.status_int = 403
+ return response
+ elif VoucherType.by_id(voucher.type).name not in permissions:
+ response = Response("You are not allowed (0) vouchers".format(VoucherType.by_id(voucher.type).name))
+ response.status_int = 403
+ return response
+
+
@view_config(request_method='DELETE', route_name='voucher', renderer='json', xhr=True)
def delete(request):
id = request.matchdict.get('id', None)
voucher = Voucher.by_id(uuid.UUID(id))
+ permission = check_delete_permissions(request, voucher)
+ if permission is not None:
+ return permission
json_voucher = voucher_info(voucher)
if voucher.type == 'Issue':
for item in voucher.journals:
@@ -86,7 +106,7 @@ def voucher_info(voucher):
'Inventories': [],
'CreationDate': voucher.creation_date.strftime('%d-%b-%Y %H:%M'),
'LastEditDate': voucher.last_edit_date.strftime('%d-%b-%Y %H:%M'),
- 'User': voucher.user.name,
+ 'User': {'UserID': voucher.user.id, 'Name': voucher.user.name},
'Poster': voucher.poster.name if voucher.posted else ''}
for item in voucher.journals:
json_voucher['Journals'].append({'JournalID': item.id, 'Debit': item.debit, 'Amount': item.amount,
diff --git a/brewman/brewman/views/services/voucher/update_voucher.py b/brewman/brewman/views/services/voucher/update_voucher.py
index ed1b2818..78268b03 100644
--- a/brewman/brewman/views/services/voucher/update_voucher.py
+++ b/brewman/brewman/views/services/voucher/update_voucher.py
@@ -1,6 +1,6 @@
import uuid
from pyramid.response import Response
-from pyramid.security import authenticated_userid, has_permission, Denied
+from pyramid.security import authenticated_userid
from pyramid.view import view_defaults, view_config
import transaction
from brewman.models.auth import User
@@ -18,10 +18,18 @@ class update_voucher(object):
self.user = User.get_by_id(uuid.UUID(authenticated_userid(request)))
self.voucher = Voucher.by_id(uuid.UUID(request.matchdict.get('id', None)))
self.json = request.json_body
- permission = Denied
- if self.voucher.posted:
- permission = has_permisson('EditPosted', None, request)
+ permissions = request.session['perms']
+ if self.voucher.posted and not 'Edit Posted Vouchers' in permissions:
+ response = Response("You are not allowed to edit posted vouchers")
+ response.status_int = 403
+ self.error = response
+ elif self.voucher.user_id != self.user.id and "Edit Other User's Vouchers" not in permissions:
+ response = Response("You are not allowed to edit other user's vouchers")
+ response.status_int = 403
+ self.error = response
+ else:
+ self.error = None
@view_config(request_param='type=Journal', permission='Journal')
@@ -49,6 +57,8 @@ class update_voucher(object):
return self.update()
def update(self):
+ if self.error is not None:
+ return self.error
try:
if self.json['Type'] in ['Journal', 'Payment', 'Receipt']:
voucher = journal_update_voucher(self.voucher, self.json, self.user)