My husband and I both create invoices using this module, and sometimes need to edit invoices the other has made.
When we edit our own invoice, we can see all the line items. But when we edit each other's, all line items disappear and the invoice looks empty - apart from the address details.
If we view the invoice, we can see the line items no problem.
Looks like a permissions setting, but we're both admins and the permissions on the modules are checked for admins.
Any ideas?

CommentFileSizeAuthor
#4 fix_invoice_edit_list_perms-1972972-4.patch4.69 KBssoulless
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

remoraxxx’s picture

remoraxxx CreditAttribution: remoraxxx commented
Issue summary: View changes

I suscribe this issue.

It becomes critical if you invoice via RESTful API, as nobody can edit the invoiced items lines.

remoraxxx’s picture

remoraxxx CreditAttribution: remoraxxx commented

You can fix this issue replacing this lines from invoice_form.inc file, (around line #817):

  $result = db_query("SELECT * FROM {invoice_items} WHERE uid = :uid AND invoice_id = :invoice_id
    ORDER BY weight, created ASC", array(
    ':uid' => $GLOBALS['user']->uid,
    ':invoice_id' => $invoice_id
  ))->fetchAll();

with these ones:

if (user_access('administer invoices')) {
      $result = db_query("SELECT * FROM {invoice_items} WHERE invoice_id = :invoice_id
        ORDER BY weight, created ASC", array(
        ':invoice_id' => $invoice_id
      ))->fetchAll();
  } else {
      $result = db_query("SELECT * FROM {invoice_items} WHERE uid = :uid AND invoice_id = :invoice_id
        ORDER BY weight, created ASC", array(
        ':uid' => $GLOBALS['user']->uid,
        ':invoice_id' => $invoice_id
      ))->fetchAll();
  }

---------------------------------

In invoice.module, replace:

    // Count invoice items
    $count = db_query("SELECT COUNT(*) FROM {invoice_items} WHERE uid = :uid AND invoice_id = :invoice_id", array(
      'uid' => $GLOBALS['user']->uid,
      'invoice_id' => $node->invoice_number
    ))->fetchField();

with:

    // Count invoice items
    if (user_access('administer invoices')) {
        $count = db_query("SELECT COUNT(*) FROM {invoice_items} WHERE invoice_id = :invoice_id", array(
          'invoice_id' => $node->invoice_number
        ))->fetchField();
    } else {
        $count = db_query("SELECT COUNT(*) FROM {invoice_items} WHERE uid = :uid AND invoice_id = :invoice_id", array(
          'uid' => $GLOBALS['user']->uid,
          'invoice_id' => $node->invoice_number
        ))->fetchField();
    }

-------------------------------------------------

in invoice.module

replace:

    // Make sure that this invoice belongs to this user
    $count = db_query("SELECT COUNT(*) FROM {invoice_invoices} WHERE iid = :iid AND uid = :uid", array(
      ':iid' => $node->invoice_number,
      ':uid' => $user_id
    ))->fetchField();

whit:

    // Make sure that this invoice belongs to this user
    if (user_access('administer invoices')) {
        $count = db_query("SELECT COUNT(*) FROM {invoice_invoices} WHERE iid = :iid", array(
          ':iid' => $node->invoice_number
        ))->fetchField();
    } else {
        $count = db_query("SELECT COUNT(*) FROM {invoice_invoices} WHERE iid = :iid AND uid = :uid", array(
          ':iid' => $node->invoice_number,
          ':uid' => $user_id
        ))->fetchField();;
    }

-------------------------------------

in invoice_ajax.inc replace:

  if (intval($fv['iid']) > 0) {
    // item id is greater than zero, so we are saving an existing invoice item
    db_update('invoice_items')->fields(array(
      'description' => $fv['description'],
      'vat' => $fv['vat'],
      'quantity' => $fv['quantity'],
      'unitcost' => $unitcost
    ))
      ->condition('iid', $fv['iid'])
      ->condition('uid', $GLOBALS['user']->uid)
      ->condition('invoice_id', $fv['invoice_number'])
      ->execute();
  }

with :

    // item id is greater than zero, so we are saving an existing invoice item
    if (user_access('administer invoices')) {
        db_update('invoice_items')->fields(array(
            'description' => $fv['description'],
            'vat' => $fv['vat'],
            'quantity' => $fv['quantity'],
            'unitcost' => $unitcost
          ))
            ->condition('iid', $fv['iid'])
            ->condition('invoice_id', $fv['invoice_number'])
            ->execute();
    } else { 
        db_update('invoice_items')->fields(array(
            'description' => $fv['description'],
            'vat' => $fv['vat'],
            'quantity' => $fv['quantity'],
            'unitcost' => $unitcost
          ))
            ->condition('iid', $fv['iid'])
            ->condition('uid', $GLOBALS['user']->uid)
            ->condition('invoice_id', $fv['invoice_number'])
            ->execute();
    }

Note: The user still needs "Administer invoices" perm checked on.

ssoulless’s picture

ssoulless CreditAttribution: ssoulless commented

Would be better if someone provide a patch. Then it must be commited. I will do the patch this afternoon.

ssoulless’s picture

ssoulless CreditAttribution: ssoulless commented
Version: 7.x-1.1 » 7.x-1.x-dev
Assigned: Unassigned » ssoulless
Category: Support request » Bug report
Priority: Normal » Major
Status: Active » Needs review
FileSize
fix_invoice_edit_list_perms-1972972-4.patch4.69 KB

Ok here is a patch that fixes this issue. Please try it on a production site and give some of feedback for see if this issue is solved.

Cheers!