From c29d95537185d909612103b65573242a91ef0d70 Mon Sep 17 00:00:00 2001
From: barredterra <14891507+barredterra@users.noreply.github.com>
Date: Wed, 8 May 2024 16:23:46 +0200
Subject: [PATCH] fix(Sales Order): only show permitted actions

---
 .../doctype/sales_order/sales_order.js        | 128 +++++++++++-------
 1 file changed, 82 insertions(+), 46 deletions(-)

diff --git a/erpnext/selling/doctype/sales_order/sales_order.js b/erpnext/selling/doctype/sales_order/sales_order.js
index b33562c32509..d73ec03a773b 100644
--- a/erpnext/selling/doctype/sales_order/sales_order.js
+++ b/erpnext/selling/doctype/sales_order/sales_order.js
@@ -58,7 +58,8 @@ frappe.ui.form.on("Sales Order", {
 			if (
 				frm.doc.status !== "Closed" &&
 				flt(frm.doc.per_delivered, 2) < 100 &&
-				flt(frm.doc.per_billed, 2) < 100
+				flt(frm.doc.per_billed, 2) < 100 &&
+				frm.has_perm("write")
 			) {
 				frm.add_custom_button(__("Update Items"), () => {
 					erpnext.utils.update_child_items({
@@ -74,7 +75,8 @@ frappe.ui.form.on("Sales Order", {
 				if (
 					frm.doc.__onload &&
 					frm.doc.__onload.has_unreserved_stock &&
-					flt(frm.doc.per_picked) === 0
+					flt(frm.doc.per_picked) === 0 &&
+					frappe.model.can_create("Stock Reservation Entry")
 				) {
 					frm.add_custom_button(
 						__("Reserve"),
@@ -85,7 +87,11 @@ frappe.ui.form.on("Sales Order", {
 			}
 
 			// Stock Reservation > Unreserve button will be only visible if the SO has un-delivered reserved stock.
-			if (frm.doc.__onload && frm.doc.__onload.has_reserved_stock) {
+			if (
+				frm.doc.__onload &&
+				frm.doc.__onload.has_reserved_stock &&
+				frappe.model.can_cancel("Stock Reservation Entry")
+			) {
 				frm.add_custom_button(
 					__("Unreserve"),
 					() => frm.events.cancel_stock_reservation_entries(frm),
@@ -94,7 +100,7 @@ frappe.ui.form.on("Sales Order", {
 			}
 
 			frm.doc.items.forEach((item) => {
-				if (flt(item.stock_reserved_qty) > 0) {
+				if (flt(item.stock_reserved_qty) > 0 && frappe.model.can_read("Stock Reservation Entry")) {
 					frm.add_custom_button(
 						__("Reserved Stock"),
 						() => frm.events.show_reserved_stock(frm),
@@ -142,6 +148,10 @@ frappe.ui.form.on("Sales Order", {
 	},
 
 	get_items_from_internal_purchase_order(frm) {
+		if (!frappe.model.can_read("Purchase Order")) {
+			return;
+		}
+
 		frm.add_custom_button(
 			__("Purchase Order"),
 			() => {
@@ -630,15 +640,17 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 						}
 					}
 
-					if (!doc.__onload || !doc.__onload.has_reserved_stock) {
-						// Don't show the `Reserve` button if the Sales Order has Picked Items.
-						if (flt(doc.per_picked, 2) < 100 && flt(doc.per_delivered, 2) < 100) {
-							this.frm.add_custom_button(
-								__("Pick List"),
-								() => this.create_pick_list(),
-								__("Create")
-							);
-						}
+					if (
+						(!doc.__onload || !doc.__onload.has_reserved_stock) &&
+						flt(doc.per_picked, 2) < 100 &&
+						flt(doc.per_delivered, 2) < 100 &&
+						frappe.model.can_create("Pick List")
+					) {
+						this.frm.add_custom_button(
+							__("Pick List"),
+							() => this.create_pick_list(),
+							__("Create")
+						);
 					}
 
 					const order_is_a_sale = ["Sales", "Shopping Cart"].indexOf(doc.order_type) !== -1;
@@ -653,20 +665,25 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 						(order_is_a_sale || order_is_a_custom_sale) &&
 						allow_delivery
 					) {
-						this.frm.add_custom_button(
-							__("Delivery Note"),
-							() => this.make_delivery_note_based_on_delivery_date(true),
-							__("Create")
-						);
-						this.frm.add_custom_button(
-							__("Work Order"),
-							() => this.make_work_order(),
-							__("Create")
-						);
+						if (frappe.model.can_create("Delivery Note")) {
+							this.frm.add_custom_button(
+								__("Delivery Note"),
+								() => this.make_delivery_note_based_on_delivery_date(true),
+								__("Create")
+							);
+						}
+
+						if (frappe.model.can_create("Work Order")) {
+							this.frm.add_custom_button(
+								__("Work Order"),
+								() => this.make_work_order(),
+								__("Create")
+							);
+						}
 					}
 
 					// sales invoice
-					if (flt(doc.per_billed, 2) < 100) {
+					if (flt(doc.per_billed, 2) < 100 && frappe.model.can_create("Sales Invoice")) {
 						this.frm.add_custom_button(
 							__("Sales Invoice"),
 							() => me.make_sales_invoice(),
@@ -676,8 +693,10 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 
 					// material request
 					if (
-						!doc.order_type ||
-						((order_is_a_sale || order_is_a_custom_sale) && flt(doc.per_delivered, 2) < 100)
+						(!doc.order_type ||
+							((order_is_a_sale || order_is_a_custom_sale) &&
+								flt(doc.per_delivered, 2) < 100)) &&
+						frappe.model.can_create("Material Request")
 					) {
 						this.frm.add_custom_button(
 							__("Material Request"),
@@ -692,7 +711,7 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 					}
 
 					// Make Purchase Order
-					if (!this.frm.doc.is_internal_customer) {
+					if (!this.frm.doc.is_internal_customer && frappe.model.can_create("Purchase Order")) {
 						this.frm.add_custom_button(
 							__("Purchase Order"),
 							() => this.make_purchase_order(),
@@ -702,24 +721,32 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 
 					// maintenance
 					if (flt(doc.per_delivered, 2) < 100 && (order_is_maintenance || order_is_a_custom_sale)) {
-						this.frm.add_custom_button(
-							__("Maintenance Visit"),
-							() => this.make_maintenance_visit(),
-							__("Create")
-						);
-						this.frm.add_custom_button(
-							__("Maintenance Schedule"),
-							() => this.make_maintenance_schedule(),
-							__("Create")
-						);
+						if (frappe.model.can_create("Maintenance Visit")) {
+							this.frm.add_custom_button(
+								__("Maintenance Visit"),
+								() => this.make_maintenance_visit(),
+								__("Create")
+							);
+						}
+						if (frappe.model.can_create("Maintenance Schedule")) {
+							this.frm.add_custom_button(
+								__("Maintenance Schedule"),
+								() => this.make_maintenance_schedule(),
+								__("Create")
+							);
+						}
 					}
 
 					// project
-					if (flt(doc.per_delivered, 2) < 100) {
+					if (flt(doc.per_delivered, 2) < 100 && frappe.model.can_create("Project")) {
 						this.frm.add_custom_button(__("Project"), () => this.make_project(), __("Create"));
 					}
 
-					if (doc.docstatus === 1 && !doc.inter_company_order_reference) {
+					if (
+						doc.docstatus === 1 &&
+						!doc.inter_company_order_reference &&
+						frappe.model.can_create("Purchase Order")
+					) {
 						let me = this;
 						let internal = me.frm.doc.is_internal_customer;
 						if (internal) {
@@ -743,18 +770,27 @@ erpnext.selling.SalesOrderController = class SalesOrderController extends erpnex
 					flt(doc.per_billed, precision("per_billed", doc)) <
 					100 + frappe.boot.sysdefaults.over_billing_allowance
 				) {
-					this.frm.add_custom_button(
-						__("Payment Request"),
-						() => this.make_payment_request(),
-						__("Create")
-					);
-					this.frm.add_custom_button(__("Payment"), () => this.make_payment_entry(), __("Create"));
+					if (frappe.model.can_create("Payment Request")) {
+						this.frm.add_custom_button(
+							__("Payment Request"),
+							() => this.make_payment_request(),
+							__("Create")
+						);
+					}
+
+					if (frappe.model.can_create("Payment Entry")) {
+						this.frm.add_custom_button(
+							__("Payment"),
+							() => this.make_payment_entry(),
+							__("Create")
+						);
+					}
 				}
 				this.frm.page.set_inner_btn_group_as_primary(__("Create"));
 			}
 		}
 
-		if (this.frm.doc.docstatus === 0) {
+		if (this.frm.doc.docstatus === 0 && frappe.model.can_read("Quotation")) {
 			this.frm.add_custom_button(
 				__("Quotation"),
 				function () {