diff --git a/src/Controller/PartController.php b/src/Controller/PartController.php
index c02a6b4f..f0d6fdfe 100644
--- a/src/Controller/PartController.php
+++ b/src/Controller/PartController.php
@@ -55,8 +55,11 @@ use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Contracts\Translation\TranslatorInterface;
+use function Symfony\Component\Translation\t;
+
/**
* @Route("/part")
*/
@@ -360,23 +363,28 @@ class PartController extends AbstractController
$action = $request->request->get('action');
-
- switch ($action) {
- case "withdraw":
- case "remove":
- $this->denyAccessUnlessGranted('withdraw', $partLot);
- $withdrawAddHelper->withdraw($partLot, $amount, $comment);
- break;
- case "add":
- $this->denyAccessUnlessGranted('add', $partLot);
- $withdrawAddHelper->add($partLot, $amount, $comment);
- break;
- case "move":
- $this->denyAccessUnlessGranted('move', $partLot);
- $withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
- break;
- default:
- throw new \RuntimeException("Unknown action!");
+ try {
+ switch ($action) {
+ case "withdraw":
+ case "remove":
+ $this->denyAccessUnlessGranted('withdraw', $partLot);
+ $withdrawAddHelper->withdraw($partLot, $amount, $comment);
+ break;
+ case "add":
+ $this->denyAccessUnlessGranted('add', $partLot);
+ $withdrawAddHelper->add($partLot, $amount, $comment);
+ break;
+ case "move":
+ $this->denyAccessUnlessGranted('move', $partLot);
+ $this->denyAccessUnlessGranted('move', $targetLot);
+ $withdrawAddHelper->move($partLot, $targetLot, $amount, $comment);
+ break;
+ default:
+ throw new \RuntimeException("Unknown action!");
+ }
+ } catch (AccessDeniedException $exception) {
+ $this->addFlash('error', t('part.withdraw.access_denied'));
+ goto err;
}
//Save the changes to the DB
@@ -387,6 +395,7 @@ class PartController extends AbstractController
$this->addFlash('error', 'CSRF Token invalid!');
}
+ err:
//If an redirect was passed, then redirect there
if($request->request->get('_redirect')) {
return $this->redirect($request->request->get('_redirect'));
diff --git a/src/Security/Voter/PartLotVoter.php b/src/Security/Voter/PartLotVoter.php
index da05070b..0c70e629 100644
--- a/src/Security/Voter/PartLotVoter.php
+++ b/src/Security/Voter/PartLotVoter.php
@@ -67,7 +67,15 @@ class PartLotVoter extends ExtendedVoter
if (in_array($attribute, ['withdraw', 'add', 'move']))
{
- return $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+ $base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
+
+ $lot_permission = true;
+ //If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it.
+ if ($subject instanceof PartLot && $subject->getOwner()) {
+ $lot_permission = $subject->getOwner() === $user || $subject->getOwner()->getID() === $user->getID();
+ }
+
+ return $base_permission && $lot_permission;
}
switch ($attribute) {
diff --git a/translations/messages.en.xlf b/translations/messages.en.xlf
index 02057ea9..9bcc89c8 100644
--- a/translations/messages.en.xlf
+++ b/translations/messages.en.xlf
@@ -11229,5 +11229,29 @@ Element 3
Only the owner can withdraw or add stock to this lot.
+
+
+ log.element_edited.changed_fields.owner
+ Owner
+
+
+
+
+ log.element_edited.changed_fields.instock_unknown
+ Amount unknown
+
+
+
+
+ log.element_edited.changed_fields.needs_refill
+ Refill needed
+
+
+
+
+ part.withdraw.access_denied
+ Not allowed to do the desired action. Please check your permissions and the owner of the part lots.
+
+