- Cambridge bug fixin- Cambridge bug fixingg

8293da2e · Frank Bergmann · 388b47c0 · 8293da2e · 8293da2e · 8293da2e
Commit 8293da2e authored Jan 27, 2008 by Frank Bergmann
3 changed files
--- a/sql/postgresql/intranet-timesheet2-workflow-create.sql
+++ b/sql/postgresql/intranet-timesheet2-workflow-create.sql
@@ -106,6 +106,24 @@ create index im_hours_conf_obj_idx on im_hours(conf_object_id);
+-----------------------------------------------------------
+-- Privileges
+--
+-- view_timesheet_conf_objects_all restricts possibility to see timesheet_conf_objects of others
+SELECT acs_privilege__create_privilege(
+	'view_timesheet_conf_all',
+	'View Timesheet Conf Objects All',
+	'View Timesheet Conf Objects All'
+);
+SELECT acs_privilege__add_child('admin', 'view_timesheet_conf_all');
 -----------------------------------------------------------
 -- Create, Drop and Name Plpg/SQL functions
 --

--- a/tcl/intranet-timesheet2-workflow-procs.tcl
+++ b/tcl/intranet-timesheet2-workflow-procs.tcl
@@ -229,22 +229,26 @@ ad_proc -public im_timesheet_conf_object_delete {
    Delete a confirmation object for the specified (main-) project
    that covers the specified day.
 } {
+    # Get the main project - the base where to search for the ConfObj
+    set main_project_id [db_string main_project "
+		select
+			main_p.project_id as main_project_id
+		from
+			im_projects p,
+			im_projects main_p
+		where
+			p.project_id = :project_id and
+			tree_ancestor_key(p.tree_sortkey, 1) = main_p.tree_sortkey
+    " -default 0]
    # Check for ConfirmationObjects matching the conditions
-    set conf_ids [db_list main_pids "
+    set conf_ids [db_list conf_ids "
 		select distinct
 			c.conf_id
 		from
-			im_hours h,
-			im_projects p,
-			im_projects main_p,
 			im_timesheet_conf_objects c
 		where
-			h.day = to_date(:day_julian, 'J') and
+			c.conf_project_id = :main_project_id and
-			h.user_id = :user_id and
-			h.project_id = :project_id and
-			h.project_id = p.project_id and
-			tree_ancestor_key(p.tree_sortkey, 1) = main_p.tree_sortkey and
-			c.conf_project_id = main_p.project_id and
 			c.conf_user_id = :user_id and
 			to_date(:day_julian, 'J') between c.start_date and c.end_date
    "]
@@ -293,11 +297,39 @@ ad_proc -public im_timesheet_costs_delete {
 # ---------------------------------------------------------------------
-# Absence Workflow Permissions
+# Timesheet Confirmation Object - Workflow Permissions
 #
-# You can replace these functions with custom functions by modifying parameters.
 # ---------------------------------------------------------------------
+ad_proc im_timesheet_conf_new_page_wf_perm_table { } {
+    Returns a hash array representing (role x status) -> (v r d w a),
+    controlling the read and write permissions on the Timesheet Conf 
+    Object's new page, depending on the users's role and the WF status.
+} {
+    set req [im_timesheet_conf_obj_status_requested]
+    set rej [im_timesheet_conf_obj_status_rejected]
+    set act [im_timesheet_conf_obj_status_active]
+    set del [im_timesheet_conf_obj_status_deleted]
+    set perm_hash(owner-$rej) {v r d w}
+    set perm_hash(owner-$req) {v r d}
+    set perm_hash(owner-$act) {v r d}
+    set perm_hash(owner-$del) {v r d}
+    set perm_hash(assignee-$rej) {v r d}
+    set perm_hash(assignee-$req) {v r d}
+    set perm_hash(assignee-$act) {v r d}
+    set perm_hash(assignee-$del) {v r d}
+    set perm_hash(hr-$rej) {v r d w a}
+    set perm_hash(hr-$req) {v r d w a}
+    set perm_hash(hr-$act) {v r d w a}
+    set perm_hash(hr-$del) {v r d w a}
+    return [array get perm_hash]
+}
 ad_proc im_timesheet_conf_new_page_wf_perm_delete_button {
    -conf_id:required
@@ -306,30 +338,28 @@ ad_proc im_timesheet_conf_new_page_wf_perm_delete_button {
    The button is visible only for the Owner of the timesheet
    and the Admin, but nobody else during the course of the WF.
 } {
-    set current_user_id [ad_get_user_id]
+    set perm_table [im_timesheet_conf_new_page_wf_perm_table]
-    set current_user_is_admin_p [im_is_user_site_wide_or_intranet_admin $current_user_id]
+    set perm_set [im_workflow_object_permissions \
-    set current_user_is_hr_p [im_user_is_hr_p $current_user_id]
+		    -object_id $conf_id \
-    set owner_id [db_string owner "select creation_user from acs_objects where object_id = $conf_id" -default 0]
+		    -perm_table $perm_table
+    ]
-    # The standard case: Only the owner should delete his own timesheet entries - to be reapproved then.
-    set perm_p 0
+    ns_log Notice "im_timesheet_conf_new_page_wf_perm_delete_button conf_id=$conf_id => $perm_set"
-    if {$owner_id == $current_user_id} { set perm_p 1 }
+    return [expr [lsearch $perm_set "d"] > -1]
-    # There is NO restriction on deleting timesheet objects. 
-    # The included hours will simply appear as unconfirmed again.
-    # Admins & HR can do everything anytime.
-    if {$current_user_is_hr_p} { set perm_p 1 }
-    if {$current_user_is_admin_p} { set perm_p 1 }
-    return $perm_p
 }
 ad_proc im_timesheet_conf_new_page_wf_perm_edit_button {
    -conf_id:required
 } {
    Should we show the "Edit" button in the TimesheetConfNewPage?
-    Currently, nobody should ever edit a timesheet conf object (just delete).
 } {
-    return 0
+    set perm_table [im_timesheet_conf_new_page_wf_perm_table]
+    set perm_set [im_workflow_object_permissions \
+		    -object_id $conf_id \
+		    -perm_table $perm_table
+    ]
+    ns_log Notice "im_timesheet_conf_new_page_wf_perm_edit_button conf_id=$conf_id => $perm_set"
+    return [expr [lsearch $perm_set "w"] > -1]
 }
--- a/www/conf-objects/index.tcl
+++ b/www/conf-objects/index.tcl
@@ -26,29 +26,22 @@ set current_user_id $user_id
 set page_focus "im_header_form.keywords"
 set user_admin_p [im_is_user_site_wide_or_intranet_admin $current_user_id]
 set date_format "YYYY-MM-DD"
 set object_name [db_string object_name "select acs_object__name(:object_id)" -default [lang::message::lookup "" intranet-expenes.Unassigned "Unassigned"]]
 set page_title [_ intranet-timesheet2-workflow.Timesheet_Approval]
+set context_bar [im_context_bar $page_title]
-if {[im_permission $user_id view_projects_all]} {
-    set context_bar [im_context_bar [list /intranet/projects/ "[_ intranet-core.Projects]"] $page_title]
-} else {
-    set context_bar [im_context_bar $page_title]
-}
 set return_url [im_url_with_query]
 set current_url [ns_conn url]
 # ---------------------------------------------------------------
 # Admin Links
 # ---------------------------------------------------------------
 set admin_links ""
 append admin_links " <li><a href=\"new?[export_url_vars object_id return_url]\">[_ intranet-timesheet2-workflow.Add_a_new_Conf]</a>\n"
+if {"" != $admin_links} { set admin_links "<ul>\n$admin_links</ul>\n" }
 set bulk_actions_list "[list]"
 #[im_permission $user_id "delete_expense"]
@@ -107,21 +100,9 @@ template::list::create \
 	}
    }
-set project_where ""
-if {0 == $object_id} { 
-    set project_where "\tand c.object_id is null\n" 
-} else {
-    set project_where "\tand c.object_id = :object_id\n" 
-}
-set project_where ""
-if {0 == $object_id} { 
-    set project_where "\tand n.object_id is null\n" 
-} else {
-    set project_where "\tand n.object_id = :object_id\n" 
-}
+set owner_where "and co.conf_user_id = :user_id"
+if {[im_permission $user_id "view_timesheet_conf_all"]} { set owner_where ""}
 db_multirow -extend {conf_chk return_url period} conf_lines confs_lines "
 	select	co.*,
@@ -129,6 +110,9 @@ db_multirow -extend {conf_chk return_url period} conf_lines confs_lines "
 		im_name_from_user_id(co.conf_user_id) as conf_user_name
 	from	im_timesheet_conf_objects co
 		LEFT OUTER JOIN im_projects p ON (co.conf_project_id = p.project_id)
+	where
+		1=1
+		$owner_where
 " {
    set return_url [im_url_with_query]
    set conf_chk "<input type=\"checkbox\" name=\"conf_id\" value=\"$conf_id\" id=\"confs_list,$conf_id\">"