From 3d46b57d4ba3a61e5c5972dcf563ea26c4166b8d Mon Sep 17 00:00:00 2001
From: bMancone <brice.mancone@prestashop.com>
Date: Wed, 26 Oct 2011 12:35:28 +0000
Subject: [PATCH] // Stock controllers : added permissions check on employees

---
 .../admin/AdminStockManagementController.php   | 18 ++++++++++++++++++
 controllers/admin/AdminStockMvtController.php  |  4 ++++
 .../admin/AdminWarehousesController.php        | 11 +++++++++++
 3 files changed, 33 insertions(+)

diff --git a/controllers/admin/AdminStockManagementController.php b/controllers/admin/AdminStockManagementController.php
index 94d16aa22..f8de33665 100644
--- a/controllers/admin/AdminStockManagementController.php
+++ b/controllers/admin/AdminStockManagementController.php
@@ -513,6 +513,17 @@ class AdminStockManagementControllerCore extends AdminController
 	{
 		parent::postProcess();
 
+		// Checks access
+		if (Tools::isSubmit('addStock') && !($this->tabAccess['add'] === '1'))
+			$this->_errors[] = Tools::displayError('You do not have the required permission to add stock.');
+		if (Tools::isSubmit('removeStock') && !($this->tabAccess['delete'] === '1'))
+			$this->_errors[] = Tools::displayError('You do not have the required permission to delete stock.');
+		if (Tools::isSubmit('transferStock') && !($this->tabAccess['edit'] === '1'))
+			$this->_errors[] = Tools::displayError('You do not have the required permission to transfer stock.');
+
+		if (count($this->_errors))
+			return;
+
 		// Global checks when add / remove / transfer product
 		if ((Tools::isSubmit('addstock') || Tools::isSubmit('removestock') || Tools::isSubmit('transferstock') ) && Tools::isSubmit('is_post'))
 		{
@@ -785,6 +796,13 @@ class AdminStockManagementControllerCore extends AdminController
 					// specify actions in function of stock
 					$this->skipActionByStock($item, false);
 				}
+				// Checks access
+				if (!($this->tabAccess['add'] === '1'))
+					$this->addRowActionSkipList('addstock', array($item['id']));
+				if (!($this->tabAccess['delete'] === '1'))
+					$this->addRowActionSkipList('removestock', array($item['id']));
+				if (!($this->tabAccess['edit'] === '1'))
+					$this->addRowActionSkipList('transferstock', array($item['id']));
 			}
 		}
 	}
diff --git a/controllers/admin/AdminStockMvtController.php b/controllers/admin/AdminStockMvtController.php
index 74741ef07..001ce1062 100644
--- a/controllers/admin/AdminStockMvtController.php
+++ b/controllers/admin/AdminStockMvtController.php
@@ -163,6 +163,10 @@ class AdminStockMvtControllerCore extends AdminController
 		$this->displayInformation($this->l('This interface allows you to display the stock movements for a selected warehouse.').'<br />');
 		$this->displayInformation($this->l('Also, it allows you to add and edit your own stock movement reasons.'));
 
+		// access
+		if (!($this->tabAccess['add'] === '1'))
+			$this->no_add = true;
+
 		//no link on list rows
 		$this->list_no_link = true;
 
diff --git a/controllers/admin/AdminWarehousesController.php b/controllers/admin/AdminWarehousesController.php
index 5f13760a0..cf73916c6 100644
--- a/controllers/admin/AdminWarehousesController.php
+++ b/controllers/admin/AdminWarehousesController.php
@@ -78,6 +78,10 @@ class AdminWarehousesControllerCore extends AdminController
 	 */
 	public function initList()
 	{
+		// Checks access
+		if (!($this->tabAccess['add'] === '1'))
+			$this->no_add = true;
+
 		$this->list_no_link = true;
 		$this->addRowAction('edit');
 		$this->addRowAction('details');
@@ -328,6 +332,13 @@ class AdminWarehousesControllerCore extends AdminController
 	 */
 	public function postProcess()
 	{
+		// Checks access
+		if (Tools::isSubmit('submitAdd'.$this->table) && !($this->tabAccess['add'] === '1'))
+		{
+			$this->_errors[] = Tools::displayError('You do not have the required permission to add warehouses.');
+			return parent::postProcess();
+		}
+
 		if (Tools::isSubmit('submitAdd'.$this->table))
 		{
 			if (!($obj = $this->loadObject(true)))