Voucher permissions done (hopefully).

Backdated voucher check still pending

brewman/brewman/static/partial/issue.html

@@ -118,18 +118,18 @@
     </div>
     <div class="form-actions">
         <button class="btn btn-primary" ng-click="save()"
-                ng-disabled="!perms['Issue']">{{voucher.Code | save_button}}
+                ng-disabled="preventAlteration(voucher)">{{voucher.Code | save_button}}
         </button>
         <button class="btn btn-danger" ng-click="resetVoucher(voucher.VoucherID)" ng-hide="voucher.Code == '(Auto)'">
             New Entry
         </button>
         <button class="btn btn-danger" ng-click="delete()" ng-hide="voucher.Code == '(Auto)'"
-                ng-disabled="!perms['Issue']">
+                ng-disabled="preventAlteration(voucher)">
             Delete
         </button>
     </div>
     <div class="row-fluid">
-        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
         by {{voucher.Poster}}
     </div>
 </form>

brewman/brewman/static/partial/journal.html

@@ -69,18 +69,18 @@
     </div>
     <div class="form-actions">
         <button class="btn btn-primary" ng-click="save()"
-                ng-disabled="!perms['Journal']">{{voucher.Code | save_button}}
+                ng-disabled="preventAlteration(voucher)">{{voucher.Code | save_button}}
         </button>
         <button class="btn btn-inverse" ng-click="post()" ng-hide="voucher.Code == '(Auto)'"
                 ng-disabled="voucher.Posted || !perms['Post Vouchers']">{{voucher.Posted | posted}}
         </button>
         <button class="btn btn-danger" ng-click="delete()" ng-hide="voucher.Code == '(Auto)'"
-                ng-disabled="!perms['Journal'] || (voucher.Posted && !perms['Edit Posted Vouchers'])">
+                ng-disabled="preventAlteration(voucher)">
             Delete
         </button>
     </div>
     <div class="row-fluid">
-        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
         by {{voucher.Poster}}
     </div>
 </form>

brewman/brewman/static/partial/payment.html

@@ -78,18 +78,18 @@
     </div>
     <div class="form-actions">
         <button class="btn btn-primary" ng-click="save()"
-                ng-disabled="!perms['Payment']">{{voucher.Code | save_button}}
+                ng-disabled="preventAlteration(voucher)">{{voucher.Code | save_button}}
         </button>
         <button class="btn btn-inverse" ng-click="post()" ng-hide="voucher.Code == '(Auto)'"
                 ng-disabled="voucher.Posted || !perms['Post Vouchers']">{{voucher.Posted | posted}}
         </button>
         <button class="btn btn-danger" ng-click="delete()" ng-hide="voucher.Code == '(Auto)'"
-                ng-disabled="!perms['Payment'] || (voucher.Posted && !perms['Edit Posted Vouchers'])">
+                ng-disabled="preventAlteration(voucher)">
             Delete
         </button>
     </div>
     <div class="row-fluid">
-        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
         by {{voucher.Poster}}
     </div>
 </form>

brewman/brewman/static/partial/purchase.html

@@ -93,18 +93,18 @@
     </div>
     <div class="form-actions">
         <button class="btn btn-primary" ng-click="save()"
-                ng-disabled="!perms['Purchase']">{{voucher.Code | save_button}}
+                ng-disabled="preventAlteration(voucher)">{{voucher.Code | save_button}}
         </button>
         <button class="btn btn-inverse" ng-click="post()" ng-hide="voucher.Code == '(Auto)'"
                 ng-disabled="voucher.Posted || !perms['Post Vouchers']">{{voucher.Posted | posted}}
         </button>
         <button class="btn btn-danger" ng-click="delete()" ng-hide="voucher.Code == '(Auto)'"
-                ng-disabled="!perms['Purchase'] || (voucher.Posted && !perms['Edit Posted Vouchers'])">
+                ng-disabled="preventAlteration(voucher)">
             Delete
         </button>
     </div>
     <div class="row-fluid">
-        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}.
+        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}.
         Posted
         by {{voucher.Poster}}
     </div>

brewman/brewman/static/partial/receipt.html

@@ -78,18 +78,18 @@
     </div>
     <div class="form-actions">
         <button class="btn btn-primary" ng-click="save()"
-                ng-disabled="!perms['Receipt']">{{voucher.Code | save_button}}
+                ng-disabled="preventAlteration(voucher)">{{voucher.Code | save_button}}
         </button>
         <button class="btn btn-inverse" ng-click="post()" ng-hide="voucher.Code == '(Auto)'"
                 ng-disabled="voucher.Posted || !perms['Post Vouchers']">{{voucher.Posted | posted}}
         </button>
         <button class="btn btn-danger" ng-click="delete()" ng-hide="voucher.Code == '(Auto)'"
-                ng-disabled="!perms['Receipt'] || (voucher.Posted && !perms['Edit Posted Vouchers'])">
+                ng-disabled="preventAlteration(voucher)">
             Delete
         </button>
     </div>
     <div class="row-fluid">
-        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User}}. Posted
+        Created on {{voucher.CreationDate}} and Last Edited on {{voucher.LastEditDate}} by {{voucher.User.Name}}. Posted
         by {{voucher.Poster}}
     </div>
 </form>

brewman/brewman/static/scripts/issue.js

@@ -115,6 +115,18 @@
         });
     };
 
+    $scope.preventAlteration = function (voucher) {
+        if (typeof voucher.VoucherID === 'undefined') {
+            return !$scope.perms['Issue'];
+        } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+            return true;
+        } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+            return true;
+        } else {
+            return false;
+        }
+    };
+
     $scope.get = function (voucherid) {
         $scope.voucher = Voucher.get({id:voucherid}, function (u, putResponseHeaders) {
             $location.path('/Issue/' + u.VoucherID);

brewman/brewman/static/scripts/journal.js

@@ -1,10 +1,5 @@
-function JournalCtrl($scope, $routeParams, $location, Voucher) {
+function JournalCtrl($scope, $location, voucher) {
-    if (typeof $routeParams.id === 'undefined'){
+    $scope.voucher = voucher;
-        $scope.voucher = Voucher.get({type:'Journal'});
-    } else {
-        $scope.voucher = Voucher.get({id:$routeParams.id});
-    }
-
     $scope.name = '';
     $scope.debit = 1;
     $scope.addJournal = function () {
@@ -45,6 +40,18 @@
         $scope.amount = Math.abs(amount);
     }, true);
 
+    $scope.preventAlteration = function (voucher) {
+        if (typeof voucher.VoucherID === 'undefined') {
+            return !$scope.perms['Journal'];
+        } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+            return true;
+        } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+            return true;
+        } else {
+            return false;
+        }
+    };
+
     $scope.get = function (voucherid) {
         $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
             $scope.toasts.push({Type:'Success', Message:u.Code});
@@ -79,3 +86,23 @@
         });
     };
 }
+
+JournalCtrl.resolve = {
+    voucher:function ($q, $route, Voucher) {
+        var deferred = $q.defer();
+
+        var id = $route.current.params.id;
+
+        var successCb = function (result) {
+            deferred.resolve(result);
+        };
+
+        if (typeof id === 'undefined') {
+            Voucher.get({type:'Journal'}, successCb);
+        } else {
+            Voucher.get({id:id}, successCb);
+        }
+        return deferred.promise;
+    }
+
+}

brewman/brewman/static/scripts/overlord.js

@@ -7,8 +7,8 @@ var overlord = angular.module('overlord', ['overlord.directive', 'overlord.filte
         when('/login', {templateUrl:'/partial/login.html', controller:LoginCtrl}).
         when('/logout', {templateUrl:'/partial/home.html', controller:LogoutCtrl}).
 
-        when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl}).
+        when('/Journal', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}).
-        when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl}).
+        when('/Journal/:id', {templateUrl:'/partial/journal.html', controller:JournalCtrl, resolve:JournalCtrl.resolve}).
 
         when('/Payment', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}).
         when('/Payment/:id', {templateUrl:'/partial/payment.html', controller:PaymentCtrl}).

brewman/brewman/static/scripts/payment.js

@@ -51,6 +51,18 @@
         }
     }, true);
 
+    $scope.preventAlteration = function (voucher) {
+        if (typeof voucher.VoucherID === 'undefined') {
+            return !$scope.perms['Payment'];
+        } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+            return true;
+        } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+            return true;
+        } else {
+            return false;
+        }
+    };
+
     $scope.get = function (voucherid) {
         $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
             $scope.toasts.push({Type:'Success', Message:u.Code});

brewman/brewman/static/scripts/purchase.js

@@ -62,6 +62,18 @@
         }
     }, true);
 
+    $scope.preventAlteration = function (voucher) {
+        if (typeof voucher.VoucherID === 'undefined') {
+            return !$scope.perms['Purchase'];
+        } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+            return true;
+        } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+            return true;
+        } else {
+            return false;
+        }
+    };
+
     $scope.get = function (voucherid) {
         $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
             $scope.toasts.push({Type:'Success', Message:u.Code});

brewman/brewman/static/scripts/receipt.js

@@ -51,6 +51,18 @@
         }
     }, true);
 
+    $scope.preventAlteration = function (voucher) {
+        if (typeof voucher.VoucherID === 'undefined') {
+            return !$scope.perms['Receipt'];
+        } else if (voucher.Posted && !$scope.perms['Edit Posted Vouchers']) {
+            return true;
+        } else if (voucher.User.UserID != $scope.auth.UserID && !$scope.perms["Edit Other User's Vouchers"]) {
+            return true;
+        } else {
+            return false;
+        }
+    };
+
     $scope.get = function (voucherid) {
         $scope.voucher = Voucher.get({VoucherID:voucherid}, function (u, putResponseHeaders) {
             $scope.toasts.push({Type:'Success', Message:u.Code});

brewman/brewman/views/services/session.py

@@ -36,7 +36,7 @@ def user_permission(request):
         auth = {'isAuthenticated': False, 'perms': {}}
     else:
         user = User.get_by_id(uuid.UUID(user_id))
-        auth = {'isAuthenticated': True, 'Name': user.name}
+        auth = {'isAuthenticated': True, 'Name': user.name, 'UserID': user.id}
         session_perms = request.session['perms']
         perms = {}
         for item in Role.list():

brewman/brewman/views/services/voucher/__init__.py

@@ -32,10 +32,30 @@ def voucher_post(request):
         return response
 
 
+def check_delete_permissions(request, voucher):
+    user = User.get_by_id(uuid.UUID(authenticated_userid(request)))
+    permissions = request.session['perms']
+    if voucher.posted and not 'Edit Posted Vouchers' in permissions:
+        response = Response("You are not allowed to edit posted vouchers")
+        response.status_int = 403
+        return response
+    elif voucher.user_id != user.id and "Edit Other User's Vouchers" not in permissions:
+        response = Response("You are not allowed to edit other user's vouchers")
+        response.status_int = 403
+        return response
+    elif VoucherType.by_id(voucher.type).name not in permissions:
+        response = Response("You are not allowed (0) vouchers".format(VoucherType.by_id(voucher.type).name))
+        response.status_int = 403
+        return response
+
+
 @view_config(request_method='DELETE', route_name='voucher', renderer='json', xhr=True)
 def delete(request):
     id = request.matchdict.get('id', None)
     voucher = Voucher.by_id(uuid.UUID(id))
+    permission = check_delete_permissions(request, voucher)
+    if permission is not None:
+        return permission
     json_voucher = voucher_info(voucher)
     if voucher.type == 'Issue':
         for item in voucher.journals:
@@ -86,7 +106,7 @@ def voucher_info(voucher):
                     'Inventories': [],
                     'CreationDate': voucher.creation_date.strftime('%d-%b-%Y %H:%M'),
                     'LastEditDate': voucher.last_edit_date.strftime('%d-%b-%Y %H:%M'),
-                    'User': voucher.user.name,
+                    'User': {'UserID': voucher.user.id, 'Name': voucher.user.name},
                     'Poster': voucher.poster.name if voucher.posted else ''}
     for item in voucher.journals:
         json_voucher['Journals'].append({'JournalID': item.id, 'Debit': item.debit, 'Amount': item.amount,

brewman/brewman/views/services/voucher/update_voucher.py

@@ -1,6 +1,6 @@
 import uuid
 from pyramid.response import Response
-from pyramid.security import authenticated_userid, has_permission, Denied
+from pyramid.security import authenticated_userid
 from pyramid.view import view_defaults, view_config
 import transaction
 from brewman.models.auth import User
@@ -18,10 +18,18 @@ class update_voucher(object):
         self.user = User.get_by_id(uuid.UUID(authenticated_userid(request)))
         self.voucher = Voucher.by_id(uuid.UUID(request.matchdict.get('id', None)))
         self.json = request.json_body
-        permission = Denied
 
-        if self.voucher.posted:
+        permissions = request.session['perms']
-            permission = has_permisson('EditPosted', None, request)
+        if self.voucher.posted and not 'Edit Posted Vouchers' in permissions:
+            response = Response("You are not allowed to edit posted vouchers")
+            response.status_int = 403
+            self.error = response
+        elif self.voucher.user_id != self.user.id and "Edit Other User's Vouchers" not in permissions:
+            response = Response("You are not allowed to edit other user's vouchers")
+            response.status_int = 403
+            self.error = response
+        else:
+            self.error = None
 
 
     @view_config(request_param='type=Journal', permission='Journal')
@@ -49,6 +57,8 @@ class update_voucher(object):
         return self.update()
 
     def update(self):
+        if self.error is not None:
+            return self.error
         try:
             if self.json['Type'] in ['Journal', 'Payment', 'Receipt']:
                 voucher = journal_update_voucher(self.voucher, self.json, self.user)