mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-28 04:30:08 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Restrict part lot withdraw/add/move operations to the owner of a part lot

Browse source
This commit is contained in:
Jan Böhmer 2023-04-02 23:35:18 +02:00
parent 447b54fa4b
commit a7ff690891
3 changed files with 59 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/Security/Voter/PartLotVoter.php
View file

@ -67,7 +67,15 @@ class PartLotVoter extends ExtendedVoter
if (in_array($attribute, ['withdraw', 'add', 'move']))
{
return $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
$base_permission = $this->resolver->inherit($user, 'parts_stock', $attribute) ?? false;
$lot_permission = true;
//If the lot has an owner, we need to check if the user is the owner of the lot to be allowed to withdraw it.
if ($subject instanceof PartLot && $subject->getOwner()) {
$lot_permission = $subject->getOwner() === $user || $subject->getOwner()->getID() === $user->getID();
}
return $base_permission && $lot_permission;
}
switch ($attribute) {