diff options
| author | ivan <ivan> | 2008-01-13 21:14:32 +0000 | 
|---|---|---|
| committer | ivan <ivan> | 2008-01-13 21:14:32 +0000 | 
| commit | 97e6cec67c0c99ce1b6f0667a09f1e009100189d (patch) | |
| tree | 1d43c279a429c8284611e98e327a6049e971192d | |
| parent | c223e0957b194e24dccbda5bbc29841385cc0961 (diff) | |
ACLs
53 files changed, 1090 insertions, 982 deletions
| diff --git a/httemplate/misc/batch-cust_pay.html b/httemplate/misc/batch-cust_pay.html index 341629ba6..ae608e1b9 100644 --- a/httemplate/misc/batch-cust_pay.html +++ b/httemplate/misc/batch-cust_pay.html @@ -1,8 +1,5 @@ -<% include("/elements/header.html", 'Quick payment entry', -            menubar( -                     'Main Menu' => $p, #popurl(1), -                   ), -            ( $cgi->param('error') ? '' : 'onload="addRow()"' ), +<% include('/elements/header.html', 'Quick payment entry', '' +             ( $cgi->param('error') ? '' : 'onload="addRow()"' ),            )  %> @@ -387,5 +384,11 @@  </SCRIPT> -</BODY> -</HTML> +<% include('/elements/footer.html') %> + +<%init> +  +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Post payment batch'); + +</%init> diff --git a/httemplate/misc/bill.cgi b/httemplate/misc/bill.cgi index 24dfd6bbd..3c3c48c54 100755 --- a/httemplate/misc/bill.cgi +++ b/httemplate/misc/bill.cgi @@ -1,45 +1,45 @@ -% -%#untaint custnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d*)$/; -%my $custnum = $1; -%my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum}); -%die "Can't find customer!\n" unless $cust_main; -% -%my $conf = new FS::Conf; -% -%my $error = $cust_main->bill( -%#                          'time'=>$time -%                         ); -% -%unless ( $error ) { -%  $error = $cust_main->apply_payments_and_credits -%           || $cust_main->collect( -%                                  #'invoice-time'=>$time, -%                                  #'batch_card'=> 'yes', -%                                  #'batch_card'=> 'no', -%                                  #'report_badcard'=> 'yes', -%                                  #'retry_card' => 'yes', -% -%                                  'retry' => 'yes', -%                                    -%                                  #this is used only by cust_main::batch_card -%                                  #need to pick & create an actual config -%                                  #value if we're going to turn this on -%                                  #("realtime-backend" doesn't exist, -%                                  # "backend-realtime" is for something -%                                  #  entirely different) -%                                  #'realtime' => $conf->exists('realtime-backend'), -%                                 ); -%} -%  %if ( $error ) { -% - -<!-- mason kludge --> -%  %  errorpage($error);  %} else { -%  print $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum"); +<% $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum") %>  %} -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Bill customer now'); + +#untaint custnum +my($query) = $cgi->keywords; +$query =~ /^(\d*)$/; +my $custnum = $1; +my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum}); +die "Can't find customer!\n" unless $cust_main; + +my $conf = new FS::Conf; + +my $error = $cust_main->bill( +#                          'time'=>$time +                         ); + +unless ( $error ) { +  $error = $cust_main->apply_payments_and_credits +           || $cust_main->collect( +                                  #'invoice-time'=>$time, +                                  #'batch_card'=> 'yes', +                                  #'batch_card'=> 'no', +                                  #'report_badcard'=> 'yes', +                                  #'retry_card' => 'yes', + +                                  'retry' => 'yes', +                                    +                                  #this is used only by cust_main::batch_card +                                  #need to pick & create an actual config +                                  #value if we're going to turn this on +                                  #("realtime-backend" doesn't exist, +                                  # "backend-realtime" is for something +                                  #  entirely different) +                                  #'realtime' => $conf->exists('realtime-backend'), +                                 ); +} + +</%init> diff --git a/httemplate/misc/cancel-unaudited.cgi b/httemplate/misc/cancel-unaudited.cgi index da60dc47b..4919c6632 100755 --- a/httemplate/misc/cancel-unaudited.cgi +++ b/httemplate/misc/cancel-unaudited.cgi @@ -1,36 +1,33 @@ -% -% -%my $dbh = dbh; -%  -%#untaint svcnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/; -%my $svcnum = $1; -% -%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum}); -%#die "Unknown svcnum!" unless $svc_acct; -% -%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum}); -%die "Unknown svcnum!" unless $cust_svc; -%my $cust_pkg = $cust_svc->cust_pkg; -%if ( $cust_pkg ) { -%  errorpage( 'This account has already been audited.  Cancel the '. -%           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum. -%           '#cust_pkg'. $cust_pkg->pkgnum. '">'. -%           'package</A> instead.'); -%} -% -%my $error = $cust_svc->cancel; -%  %if ( $error ) { -%   - -<!-- mason kludge --> -%  %  errorpage($error);  %} else { -%  print $cgi->redirect(popurl(2)); +<% $cgi->redirect(popurl(2)) %>  %} -% -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service') +      && $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services'); + +#untaint svcnum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/; +my $svcnum = $1; + +#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum}); +#die "Unknown svcnum!" unless $svc_acct; + +my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum}); +die "Unknown svcnum!" unless $cust_svc; +my $cust_pkg = $cust_svc->cust_pkg; +if ( $cust_pkg ) { +  errorpage( 'This account has already been audited.  Cancel the '. +           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum. +           '#cust_pkg'. $cust_pkg->pkgnum. '">'. +           'package</A> instead.'); +} + +my $error = $cust_svc->cancel; + +</%init> diff --git a/httemplate/misc/cancel_cust.html b/httemplate/misc/cancel_cust.html index 11ade7e15..94c23646c 100644 --- a/httemplate/misc/cancel_cust.html +++ b/httemplate/misc/cancel_cust.html @@ -45,6 +45,8 @@ if ( $cgi->param('error') ) {  $curuser = $FS::CurrentUser::CurrentUser; +die "access denied" unless $curuser->access_right('Cancel customer'); +  $cust_main = qsearchs( {    'table'     => 'cust_main',    'hashref'   => { 'custnum' => $custnum }, diff --git a/httemplate/misc/cancel_pkg.html b/httemplate/misc/cancel_pkg.html index 28d0dd912..e41662793 100755 --- a/httemplate/misc/cancel_pkg.html +++ b/httemplate/misc/cancel_pkg.html @@ -23,7 +23,7 @@  % if ($method eq 'expire' || $method eq 'adjourn') {  <TR>    <TD><% $submit =~ /^(\w*)\s/ %> package on </TD> -    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date %>"> +    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date |h %>">          <IMG SRC="<% $p %>images/calendar.png" ID="expire_button" STYLE="cursor:pointer" TITLE="Select date">          <BR><I>m/d/y</I>      </TD> @@ -39,7 +39,7 @@  %}  % -<% include('/elements/tr-select-reason.html', 'reasonnum', $class, '', '', '', 'document.sc_popup.submit' ) %> +<% include('/elements/tr-select-reason.html', 'reasonnum', $class, $reasonnum, '', '', 'document.sc_popup.submit' ) %>  </TABLE> @@ -51,45 +51,53 @@  </HTML>  <%init> -my($method, $pkgnum, $reasonnum, $submit, $cust_pkg, $part_pkg, -   $date, $curuser, $class);  -$date = time2str("%m/%d/%Y", time); + +my $date = time2str("%m/%d/%Y", time); + +my($pkgnum, $reasonnum);  if ( $cgi->param('error') ) { -  $method        = $cgi->param('method'); -  $pkgnum        = $cgi->param('pkgnum'); -  $reasonnum     = $cgi->param('reasonnum'); -  $date = $cgi->param('date'); +  $pkgnum    = $cgi->param('pkgnum'); +  $reasonnum = $cgi->param('reasonnum'); +  $date      = $cgi->param('date');  } elsif ( $cgi->param('pkgnum') =~ /^(\d+)$/ ) { -  $pkgnum  = $1; +  $pkgnum    = $1; +  $reasonnum = '';  } else {    die "illegal query ". $cgi->keywords;  } -$method = $cgi->param('method'); +$cgi->param('method') =~ /^(\w+)$/ or die 'illegal method'; +my $method = $1; + +my($class, $submit, $right);  if ($method eq 'cancel') { -  $class = 'C'; -  $submit    = "Cancel Now"; -}elsif ($method eq 'expire') { -  $class = 'C'; -  $submit    = "Cancel Later"; -}elsif ($method eq 'suspend') { -  $class = 'S'; -  $submit    = "Suspend Now"; -}elsif ($method eq 'adjourn') { -  $class = 'S'; -  $submit    = "Suspend Later"; -}else{ -  die "illegal query ". $cgi->keywords; +  $class  = 'C'; +  $submit = 'Cancel Now'; +  $right  = 'Cancel customer package immediately'; +} elsif ($method eq 'expire') { +  $class  = 'C'; +  $submit = 'Cancel Later'; +  $right  = 'Cancel customer package later'; +} elsif ($method eq 'suspend') { +  $class  = 'S'; +  $submit = 'Suspend Now'; +  $right  = 'Suspend customer package'; +} elsif ($method eq 'adjourn') { +  $class  = 'S'; +  $submit = "Suspend Later"; +  $right  = 'Suspend customer package later'; +} else { +  die 'illegal query (unknown method param)';  } -my $title = ucfirst($method) . ' Package'; +my $curuser = $FS::CurrentUser::CurrentUser; +die "access denied" unless $curuser->access_right($right); -$cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum}); -die "No such package: $pkgnum" unless $cust_pkg; +my $title = ucfirst($method) . ' Package'; -$part_pkg = $cust_pkg->part_pkg; +my $cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum}) +  or die "Unknown pkgnum: $pkgnum"; -$curuser = $FS::CurrentUser::CurrentUser; +my $part_pkg = $cust_pkg->part_pkg;  </%init> - diff --git a/httemplate/misc/catchall.cgi b/httemplate/misc/catchall.cgi index 8881746d1..2094494be 100755 --- a/httemplate/misc/catchall.cgi +++ b/httemplate/misc/catchall.cgi @@ -1,134 +1,120 @@ -<!-- mason kludge --> -% -% -%my $conf = new FS::Conf; -% -%my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc); -%if ( $cgi->param('error') ) { -%  $svc_domain = new FS::svc_domain ( { -%    map { $_, scalar($cgi->param($_)) } fields('svc_domain') -%  } ); -%  $svcnum = $svc_domain->svcnum; -%  $pkgnum = $cgi->param('pkgnum'); -%  $svcpart = $cgi->param('svcpart'); -%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart}); -%  die "No part_svc entry!" unless $part_svc; -%} else { -%  my($query) = $cgi->keywords; -%  if ( $query =~ /^(\d+)$/ ) { #editing -%    $svcnum=$1; -%    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum}) -%      or die "Unknown (svc_domain) svcnum!"; -% -%    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum}) -%      or die "Unknown (cust_svc) svcnum!"; -% -%    $pkgnum=$cust_svc->pkgnum; -%    $svcpart=$cust_svc->svcpart; -%   -%    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart}); -%    die "No part_svc entry!" unless $part_svc; -% -%  } else {  -% -%    die "Invalid (svc_domain) svcnum!"; -% -%  } -%} -% -%my %email; -%if ($pkgnum) { -% -%  #find all possible user svcnums (and emails) -% -%  #starting with that currently attached -%  if ($svc_domain->catchall) { -%    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall}); -%    $email{$svc_domain->catchall} = $svc_acct->email; -%  } -% -%  #and including the rest for this customer -%  my($u_part_svc,@u_acct_svcparts); -%  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) { -%    push @u_acct_svcparts,$u_part_svc->getfield('svcpart'); -%  } -% -%  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum}); -%  my($custnum)=$cust_pkg->getfield('custnum'); -%  my($i_cust_pkg); -%  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) { -%    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum'); -%    my($acct_svcpart); -%    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding  -%                                              #record(s) in cust_svc ( for this -%                                              #pkgnum ! ) -%      my($i_cust_svc); -%      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) { -%        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')}); -%        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email; -%      }   -%    } -%  } -% -%} else { -% -%  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall}); -%  $email{$svc_domain->catchall} = $svc_acct->email; -%} -% -%# add an absence of a catchall -%$email{''} = "(none)"; -% -%my $p1 = popurl(1); -%print header("Domain Catchall Edit", ''); -% -%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'), -%      "</FONT>" -%  if $cgi->param('error'); -% -%print qq!<FORM ACTION="${p1}process/catchall.cgi" METHOD=POST>!; -% -%#display -% -%	#formatting -%	print "<PRE>"; -% -%#svcnum -%print qq!<INPUT TYPE="hidden" NAME="svcnum" VALUE="$svcnum">!; -%print qq!Service #<FONT SIZE=+1><B>!, $svcnum ? $svcnum : " (NEW)", "</B></FONT>"; -% -%#pkgnum -%print qq!<INPUT TYPE="hidden" NAME="pkgnum" VALUE="$pkgnum">!; -%  -%#svcpart -%print qq!<INPUT TYPE="hidden" NAME="svcpart" VALUE="$svcpart">!; -% -%my($domain,$catchall)=( -%  $svc_domain->domain, -%  $svc_domain->catchall, -%); -% -%print qq!<INPUT TYPE="hidden" NAME="domain" VALUE="$domain">!; -% -%#catchall -%print qq!\n\nMail to <I>(anything)</I>@<B>$domain</B> forwards to <SELECT NAME="catchall" SIZE=1>!; -%foreach $_ (keys %email) { -%  print "<OPTION", $_ eq $catchall ? " SELECTED" : "", -%        qq! VALUE="$_">$email{$_}!; -%} -%print "</SELECT>"; -% -%	#formatting -%	print "</PRE>\n"; -% -%print qq!<CENTER><INPUT TYPE="submit" VALUE="Submit"></CENTER>!; -% -%print <<END; -% -%    </FORM> -%  </BODY> -%</HTML> -%END -% -% +<% include('/elements/header.html', 'Domain Catchall Edit') %> +<% include('/elements/error.html') %> + +<FORM ACTION="<%$p1%>process/catchall.cgi" METHOD=POST> + +<PRE> + +<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum |h %>"> +Service #<FONT SIZE=+1><B><% $svcnum ? $svcnum : ' (NEW)' |h %></B></FONT> + +<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum |h %>"> + +<INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>"> + +% my $domain   = $svc_domain->domain; +% my $catchall = $svc_domain->catchall; + +<INPUT TYPE="hidden" NAME="domain" VALUE="<% $domain |h %>"> + +Mail to <I>(anything)</I>@<B><% $domain |h %></B> forwards to <SELECT NAME="catchall" SIZE=1> +% foreach $_ (keys %email) { +    <OPTION<% $_ eq $catchall ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $email{$_} %> +% } +</SELECT> + +</PRE> + +<INPUT TYPE="submit" VALUE="Submit"> + +</FORM> + +<% include('/elements/footer.html') %> + +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain catchall'); + +my $conf = new FS::Conf; + +my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc); +if ( $cgi->param('error') ) { +  $svc_domain = new FS::svc_domain ( { +    map { $_, scalar($cgi->param($_)) } fields('svc_domain') +  } ); +  $svcnum = $svc_domain->svcnum; +  $pkgnum = $cgi->param('pkgnum'); +  $svcpart = $cgi->param('svcpart'); +  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart}); +  die "No part_svc entry!" unless $part_svc; +} else { +  my($query) = $cgi->keywords; +  if ( $query =~ /^(\d+)$/ ) { #editing +    $svcnum=$1; +    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum}) +      or die "Unknown (svc_domain) svcnum!"; + +    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum}) +      or die "Unknown (cust_svc) svcnum!"; + +    $pkgnum=$cust_svc->pkgnum; +    $svcpart=$cust_svc->svcpart; +   +    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart}); +    die "No part_svc entry!" unless $part_svc; + +  } else {  + +    die "Invalid (svc_domain) svcnum!"; + +  } +} + +my %email; +if ($pkgnum) { + +  #find all possible user svcnums (and emails) + +  #starting with that currently attached +  if ($svc_domain->catchall) { +    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall}); +    $email{$svc_domain->catchall} = $svc_acct->email; +  } + +  #and including the rest for this customer +  my($u_part_svc,@u_acct_svcparts); +  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) { +    push @u_acct_svcparts,$u_part_svc->getfield('svcpart'); +  } + +  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum}); +  my($custnum)=$cust_pkg->getfield('custnum'); +  my($i_cust_pkg); +  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) { +    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum'); +    my($acct_svcpart); +    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding  +                                              #record(s) in cust_svc ( for this +                                              #pkgnum ! ) +      my($i_cust_svc); +      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) { +        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')}); +        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email; +      }   +    } +  } + +} else { + +  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall}); +  $email{$svc_domain->catchall} = $svc_acct->email; +} + +# add an absence of a catchall +$email{''} = "(none)"; + +my $p1 = popurl(1); + +</%init> diff --git a/httemplate/misc/cdr-import.html b/httemplate/misc/cdr-import.html index 5e9e2690d..36b2e4cb0 100644 --- a/httemplate/misc/cdr-import.html +++ b/httemplate/misc/cdr-import.html @@ -14,3 +14,9 @@ Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>  <% include('/elements/footer.html') %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +</%init> diff --git a/httemplate/misc/cust_main-cancel.cgi b/httemplate/misc/cust_main-cancel.cgi index 7f6f69701..009a7d41b 100755 --- a/httemplate/misc/cust_main-cancel.cgi +++ b/httemplate/misc/cust_main-cancel.cgi @@ -6,6 +6,9 @@  </HTML>  <%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Cancel customer'); +  my $custnum;  my $ban = '';  if ( $cgi->param('custnum') =~ /^(\d+)$/ ) { diff --git a/httemplate/misc/cust_main-import.cgi b/httemplate/misc/cust_main-import.cgi index bb0c31abe..a4916396e 100644 --- a/httemplate/misc/cust_main-import.cgi +++ b/httemplate/misc/cust_main-import.cgi @@ -96,5 +96,13 @@ advertising source table.  <% include('/elements/footer.html') %>  <%once> +  my $req = qq!<font color="#ff0000">*</font>!; +  </%once> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +</%init> diff --git a/httemplate/misc/cust_main-import_charges.cgi b/httemplate/misc/cust_main-import_charges.cgi index cd4441e0b..3801929e8 100644 --- a/httemplate/misc/cust_main-import_charges.cgi +++ b/httemplate/misc/cust_main-import_charges.cgi @@ -1,14 +1,22 @@ -<!-- mason kludge --> -<% include("/elements/header.html",'Batch Customer Charge') %> +<% include('/elements/header.html', 'Batch Customer Charge') %> +  <FORM ACTION="process/cust_main-import_charges.cgi" METHOD="post" ENCTYPE="multipart/form-data"> +  Import a CSV file containing customer charges.<BR><BR>  Default file format is CSV, with the following field order: <i>custnum, amount, description</i><BR><BR>  If <i>amount</i> is negative, a credit will be applied instead.<BR><BR>  <BR><BR> -    CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR> -    <INPUT TYPE="submit" VALUE="Import"> -    </FORM> -  </BODY> -<HTML> +CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR> +<INPUT TYPE="submit" VALUE="Import"> + +</FORM> + +<% include('/elements/footer.html') %> + +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); +</%init> diff --git a/httemplate/misc/delete-cust_credit.cgi b/httemplate/misc/delete-cust_credit.cgi index 78df24989..03eb47299 100755 --- a/httemplate/misc/delete-cust_credit.cgi +++ b/httemplate/misc/delete-cust_credit.cgi @@ -1,17 +1,21 @@ -% -% -%#untaint crednum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal crednum"; -%my $crednum = $1; -% -%my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum}); -%my $custnum = $cust_credit->custnum; -% -%my $error = $cust_credit->delete; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +% if ( $error ) { +%   errorpage($error); +% } else { +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +% } +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Delete credit'); + +#untaint crednum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal crednum"; +my $crednum = $1; + +my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum}); +my $custnum = $cust_credit->custnum; + +my $error = $cust_credit->delete; + +</%init> diff --git a/httemplate/misc/delete-cust_pay.cgi b/httemplate/misc/delete-cust_pay.cgi index a0fa414d5..38e7e4ba1 100755 --- a/httemplate/misc/delete-cust_pay.cgi +++ b/httemplate/misc/delete-cust_pay.cgi @@ -1,17 +1,21 @@ -% -% -%#untaint paynum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal paynum"; -%my $paynum = $1; -% -%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum}); -%my $custnum = $cust_pay->custnum; -% -%my $error = $cust_pay->delete; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +% if ( $error ) { +%   errorpage($error); +% } else { +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +% } +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Delete payment'); + +#untaint paynum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal paynum"; +my $paynum = $1; + +my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum}); +my $custnum = $cust_pay->custnum; + +my $error = $cust_pay->delete; + +</%init> diff --git a/httemplate/misc/delete-cust_refund.cgi b/httemplate/misc/delete-cust_refund.cgi index f3ac589aa..983a79da5 100755 --- a/httemplate/misc/delete-cust_refund.cgi +++ b/httemplate/misc/delete-cust_refund.cgi @@ -1,17 +1,21 @@ -% -% -%#untaint refundnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal refundnum"; -%my $refundnum = $1; -% -%my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum}); -%my $custnum = $cust_refund->custnum; -% -%my $error = $cust_refund->delete; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +% if ( $error ) { +%   errorpage($error); +% } else { +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +% } +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Delete refund'); + +#untaint refundnum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal refundnum"; +my $refundnum = $1; + +my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum}); +my $custnum = $cust_refund->custnum; + +my $error = $cust_refund->delete; + +</%init> diff --git a/httemplate/misc/delete-customer.cgi b/httemplate/misc/delete-customer.cgi index 378f69e61..17b7bda5e 100755 --- a/httemplate/misc/delete-customer.cgi +++ b/httemplate/misc/delete-customer.cgi @@ -1,48 +1,26 @@ -<!-- mason kludge --> -% -% -%my $conf = new FS::Conf; -%die "Customer deletions not enabled" unless $conf->exists('deletecustomers'); -% -%my($custnum, $new_custnum); -%if ( $cgi->param('error') ) { -%  $custnum = $cgi->param('custnum'); -%  $new_custnum = $cgi->param('new_custnum'); -%} else { -%  my($query) = $cgi->keywords; -%  $query =~ /^(\d+)$/ or die "Illegal query: $query"; -%  $custnum = $1; -%  $new_custnum = ''; -%} -%my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } ) -%  or die "Customer not found: $custnum"; -% -%print header('Delete customer'); -% -%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'), -%      "</FONT>" -%  if $cgi->param('error'); -% -%print  -%  qq!<form action="!, popurl(1), qq!process/delete-customer.cgi" method=post>!, -%  qq!<input type="hidden" name="custnum" value="$custnum">!; -% +<% include('/elements/header.html', 'Delete customer') %> + +<% include('/elements/error.html') %> + +<FORM ACTION="<% popurl(1) %>process/delete-customer.cgi" METHOD=POST> +<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum |h %>"> +  %if ( qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } ) ) { -%  print "Move uncancelled packages to customer number ", -%        qq!<input type="text" name="new_custnum" value="$new_custnum"><br><br>!; +  Move uncancelled packages to customer number  +  <INPUT TYPE="text" NAME="new_custnum" VALUE="<% $new_custnum |h %>"><BR><BR>  %} -% -%print <<END; -%This will <b>completely remove</b> all traces of this customer record.  This -%is <B>not</B> what you want if this is a real customer who has simply -%canceled service with you.  For that, cancel all of the customer's packages. -%(you can optionally hide cancelled customers with the <a href="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</a> configuration option) -%<br> -%<br>Are you <b>absolutely sure</b> you want to delete this customer? -%<br><input type="submit" value="Yes"> -%</form></body></html> -%END -% + +This will <B>completely remove</B> all traces of this customer record.  This +is <B>not</B> what you want if this is a real customer who has simply +canceled service with you.  For that, cancel all of the customer's packages. +(you can optionally hide cancelled customers with the <A HREF="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</A> configuration option) +<BR> +<BR>Are you <B>absolutely sure</B> you want to delete this customer? +<BR><INPUT TYPE="submit" VALUE="Yes"> +</FORM> + +<% include('/elements/footer.html') %> +  %#Deleting a customer you have financial records on (i.e. credits) is  %#typically considered fraudulant bookkeeping.  Remember, deleting     %#customers should ONLY be used for completely bogus records.  You should @@ -56,6 +34,31 @@  %#Also see the "hidecancelledcustomers" and "hidecancelledpackages"  %#configuration options, which will allow you to surpress the display of  %#cancelled customers and packages, respectively. -% -% +<%init> + +my $conf = new FS::Conf; +die "Customer deletions not enabled in configuration" +  unless $conf->exists('deletecustomers'); + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Delete customer'); + +my($custnum, $new_custnum); +if ( $cgi->param('error') ) { +  $custnum = $cgi->param('custnum'); +  $new_custnum = $cgi->param('new_custnum'); +} else { +  my($query) = $cgi->keywords; +  $query =~ /^(\d+)$/ or die "Illegal query: $query"; +  $custnum = $1; +  $new_custnum = ''; +} +my $cust_main = qsearchs( { +  'table'     => 'cust_main', +  'hashref'   => { 'custnum' => $custnum }, +  'extra_sql' => ' AND '. $FS::CurrentUser::CurrentUser->agentnums_sql, +} ) +  or die 'Unknown custnum'; + +<%/init> diff --git a/httemplate/misc/delete-domain_record.cgi b/httemplate/misc/delete-domain_record.cgi index 83e75ce20..08eedde5f 100755 --- a/httemplate/misc/delete-domain_record.cgi +++ b/httemplate/misc/delete-domain_record.cgi @@ -1,16 +1,20 @@ -% -% -%#untaint recnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal recnum"; -%my $recnum = $1; -% -%my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum}); -% -%my $error = $domain_record->delete; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum); -% -% +% if ( $error ) { +%   errorpage($error); +% } else { +<% $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum) %> +% } +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain nameservice'); + +#untaint recnum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal recnum"; +my $recnum = $1; + +my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum}); + +my $error = $domain_record->delete; + +</%init> diff --git a/httemplate/misc/delete-part_export.cgi b/httemplate/misc/delete-part_export.cgi index 5f2ebb99c..52404e0c4 100755 --- a/httemplate/misc/delete-part_export.cgi +++ b/httemplate/misc/delete-part_export.cgi @@ -1,16 +1,20 @@ -% -% -%#untaint exportnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal exportnum"; -%my $exportnum = $1; -% -%my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum}); -% -%my $error = $part_export->delete; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "browse/part_export.cgi"); -% -% +% if ( $error ) { +%   errorpage($error); +% } else { +<% $cgi->redirect($p. "browse/part_export.cgi") %> +% } +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Configuration'); + +#untaint exportnum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal exportnum"; +my $exportnum = $1; + +my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum}); + +my $error = $part_export->delete; + +</%init> diff --git a/httemplate/misc/dump.cgi b/httemplate/misc/dump.cgi index 486b66568..3b60b20ef 100644 --- a/httemplate/misc/dump.cgi +++ b/httemplate/misc/dump.cgi @@ -1,3 +1,5 @@ +%  die "access denied" +%    unless $FS::CurrentUser::CurrentUser->access_right('Export');  %  %  if ( driver_name =~ /^Pg$/ ) {  %    my $dbname = (split(':', datasrc))[2]; @@ -16,5 +18,3 @@  %    print $_;  %  }  %  close DUMP; -% - diff --git a/httemplate/misc/email-invoice.cgi b/httemplate/misc/email-invoice.cgi index 8a3dd90b1..269722f67 100755 --- a/httemplate/misc/email-invoice.cgi +++ b/httemplate/misc/email-invoice.cgi @@ -1,18 +1,19 @@ -% -% -%#untaint invnum -%my($query) = $cgi->keywords; -%$query =~ /^((.+)-)?(\d+)$/; -%my $template = $2; -%my $invnum = $3; -%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); -%die "Can't find invoice!\n" unless $cust_bill; -% -%$cust_bill->email($template);  -% -%my $custnum = $cust_bill->getfield('custnum'); -% -%print $cgi->redirect("${p}view/cust_main.cgi?$custnum"); -% -% +<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +#untaint invnum +my($query) = $cgi->keywords; +$query =~ /^((.+)-)?(\d+)$/; +my $template = $2; +my $invnum = $3; +my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); +die "Can't find invoice!\n" unless $cust_bill; + +$cust_bill->email($template);  + +my $custnum = $cust_bill->getfield('custnum'); + +</%init> diff --git a/httemplate/misc/email_invoice_events.cgi b/httemplate/misc/email_invoice_events.cgi index ba6e72c1a..d65fe172b 100644 --- a/httemplate/misc/email_invoice_events.cgi +++ b/httemplate/misc/email_invoice_events.cgi @@ -1,4 +1,9 @@ -% -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi; -%  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi; + +</%init> diff --git a/httemplate/misc/email_invoices.cgi b/httemplate/misc/email_invoices.cgi index 6c2103f7b..78ca0f67d 100644 --- a/httemplate/misc/email_invoices.cgi +++ b/httemplate/misc/email_invoices.cgi @@ -1,4 +1,9 @@ -% -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi; -%  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi; + +</%init> diff --git a/httemplate/misc/fax-invoice.cgi b/httemplate/misc/fax-invoice.cgi index 1ddc23ece..e2e6db095 100755 --- a/httemplate/misc/fax-invoice.cgi +++ b/httemplate/misc/fax-invoice.cgi @@ -1,18 +1,19 @@ -% -% -%#untaint invnum -%my($query) = $cgi->keywords; -%$query =~ /^((.+)-)?(\d+)$/; -%my $template = $2; -%my $invnum = $3; -%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); -%die "Can't find invoice!\n" unless $cust_bill; -% -%$cust_bill->fax($template); -% -%my $custnum = $cust_bill->getfield('custnum'); -% -%print $cgi->redirect("${p}view/cust_main.cgi?$custnum"); -% -% +<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +#untaint invnum +my($query) = $cgi->keywords; +$query =~ /^((.+)-)?(\d+)$/; +my $template = $2; +my $invnum = $3; +my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); +die "Can't find invoice!\n" unless $cust_bill; + +$cust_bill->fax($template); + +my $custnum = $cust_bill->getfield('custnum'); + +</%init> diff --git a/httemplate/misc/fax_invoice_events.cgi b/httemplate/misc/fax_invoice_events.cgi index deb78d456..05420eeca 100644 --- a/httemplate/misc/fax_invoice_events.cgi +++ b/httemplate/misc/fax_invoice_events.cgi @@ -1,4 +1,9 @@ -%  -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi; -%  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi; + +</%init> diff --git a/httemplate/misc/fax_invoices.cgi b/httemplate/misc/fax_invoices.cgi index 4bdac970c..a843523db 100644 --- a/httemplate/misc/fax_invoices.cgi +++ b/httemplate/misc/fax_invoices.cgi @@ -1,4 +1,9 @@ -%  -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi; -%  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi; + +</%init> diff --git a/httemplate/misc/inventory_item-import.html b/httemplate/misc/inventory_item-import.html index 363623806..423d0d672 100644 --- a/httemplate/misc/inventory_item-import.html +++ b/httemplate/misc/inventory_item-import.html @@ -1,11 +1,3 @@ -% -% -%my $classnum = $cgi->param('classnum'); -%$classnum =~ /^(\d+)$/ or errorpage("illegal classnum $classnum"); -%$classnum = $1; -%my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } ); -% -%  <% include("/elements/header.html", $inventory_class->classname. 's') %>  <FORM ACTION="process/inventory_item-import.html" METHOD="POST" ENCTYPE="multipart/form-data"> @@ -19,3 +11,13 @@ Filename: <INPUT TYPE="file" NAME="filename"><BR><BR>  <% include('/elements/footer.html') %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +$cgi->param =~ /^(\d+)$/ or errorpage("illegal classnum $classnum"); +my $classnum = $1; +my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } ); + +</%init> diff --git a/httemplate/misc/link.cgi b/httemplate/misc/link.cgi index ef72b4a5c..748eaa15f 100755 --- a/httemplate/misc/link.cgi +++ b/httemplate/misc/link.cgi @@ -1,31 +1,5 @@ -%my %link_field = ( -%  'svc_acct'    => 'username', -%  'svc_domain'  => 'domain', -%); -% -%my %link_field2 = ( -%  'svc_acct'    => { label => 'Domain', -%                     field => 'domsvc', -%                     type  => 'select', -%                     select_table => 'svc_domain', -%                     select_key   => 'svcnum', -%                     select_label => 'domain' -%                   }, -%); -% -%$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum'; -%my $pkgnum = $1; -%$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart'; -%my $svcpart = $1; -% -%my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart}); -%my $svc = $part_svc->getfield('svc'); -%my $svcdb = $part_svc->getfield('svcdb'); -%my $link_field = $link_field{$svcdb}; -%my $link_field2 = $link_field2{$svcdb}; -% -  <% include("/elements/header.html","Link to existing $svc") %> +  <FORM ACTION="<% popurl(1) %>process/link.cgi" METHOD=POST>  % if ( $link_field ) {  @@ -72,6 +46,39 @@  <INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">  <INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">  <BR><INPUT TYPE="submit" VALUE="Link"> -    </FORM> -  </BODY> -</HTML> +</FORM> + +<% include('/elements/footer.html') %> + +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services'); + +my %link_field = ( +  'svc_acct'    => 'username', +  'svc_domain'  => 'domain', +); + +my %link_field2 = ( +  'svc_acct'    => { label => 'Domain', +                     field => 'domsvc', +                     type  => 'select', +                     select_table => 'svc_domain', +                     select_key   => 'svcnum', +                     select_label => 'domain' +                   }, +); + +$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum'; +my $pkgnum = $1; +$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart'; +my $svcpart = $1; + +my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart}); +my $svc = $part_svc->getfield('svc'); +my $svcdb = $part_svc->getfield('svcdb'); +my $link_field = $link_field{$svcdb}; +my $link_field2 = $link_field2{$svcdb}; + +</%init> diff --git a/httemplate/misc/meta-import.cgi b/httemplate/misc/meta-import.cgi index fc249a2ab..5b3470c06 100644 --- a/httemplate/misc/meta-import.cgi +++ b/httemplate/misc/meta-import.cgi @@ -1,5 +1,5 @@ -<!-- mason kludge --> -<% include("/elements/header.html",'Import') %> +<% include('/elements/header.html', 'Import') %> +  <FORM ACTION="process/meta-import.cgi" METHOD="post" ENCTYPE="multipart/form-data">  Import data from a DBI data source<BR><BR>  % @@ -68,6 +68,12 @@ Import data from a DBI data source<BR><BR>    <INPUT TYPE="submit" VALUE="Import">    </FORM> -  </BODY> -<HTML> +<% include('/elements/footer.html') %> + +<%init> + +#there's no ACL for this...  haven't used in ages +die 'meta-import not enabled; remove this if you want to use it'; + +</%init> diff --git a/httemplate/misc/payment.cgi b/httemplate/misc/payment.cgi index ce9a48beb..f99f2f068 100644 --- a/httemplate/misc/payment.cgi +++ b/httemplate/misc/payment.cgi @@ -217,6 +217,9 @@ function OLiframeContent(src, width, height, name) {  <% include('/elements/footer.html') %>  <%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Process payment'); +  my %type = ( 'CARD' => 'credit card',               'CHEK' => 'electronic check (ACH)',             ); diff --git a/httemplate/misc/print-invoice.cgi b/httemplate/misc/print-invoice.cgi index 511bdce19..aeef68795 100755 --- a/httemplate/misc/print-invoice.cgi +++ b/httemplate/misc/print-invoice.cgi @@ -1,18 +1,19 @@ -% -% -%#untaint invnum -%my($query) = $cgi->keywords; -%$query =~ /^((.+)-)?(\d+)$/; -%my $template = $2; -%my $invnum = $3; -%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); -%die "Can't find invoice!\n" unless $cust_bill; -% -%$cust_bill->print($template); -% -%my $custnum = $cust_bill->getfield('custnum'); -% -%print $cgi->redirect("${p}view/cust_main.cgi?$custnum"); -% -% +<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +#untaint invnum +my($query) = $cgi->keywords; +$query =~ /^((.+)-)?(\d+)$/; +my $template = $2; +my $invnum = $3; +my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum}); +die "Can't find invoice!\n" unless $cust_bill; + +$cust_bill->print($template); + +my $custnum = $cust_bill->getfield('custnum'); + +</%init> diff --git a/httemplate/misc/print_invoice_events.cgi b/httemplate/misc/print_invoice_events.cgi index 913e2683f..c974d5f4e 100644 --- a/httemplate/misc/print_invoice_events.cgi +++ b/httemplate/misc/print_invoice_events.cgi @@ -1,4 +1,9 @@ -% -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi;  -  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi;  + +</%init> diff --git a/httemplate/misc/print_invoices.cgi b/httemplate/misc/print_invoices.cgi index 826a081fd..f859f6db8 100644 --- a/httemplate/misc/print_invoices.cgi +++ b/httemplate/misc/print_invoices.cgi @@ -1,4 +1,9 @@ -%  -%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi; -%  <% $server->process %> +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices'); + +my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi; + +</%init> diff --git a/httemplate/misc/process/batch-cust_pay.cgi b/httemplate/misc/process/batch-cust_pay.cgi index e4d1bbff5..058a2251a 100644 --- a/httemplate/misc/process/batch-cust_pay.cgi +++ b/httemplate/misc/process/batch-cust_pay.cgi @@ -1,3 +1,5 @@ +%  die "access denied" +%    unless $FS::CurrentUser::CurrentUser->access_right('Post payment batch');  %  %  my $param = $cgi->Vars;  % diff --git a/httemplate/misc/process/cancel_pkg.html b/httemplate/misc/process/cancel_pkg.html index 50b111093..1a8d23b6f 100755 --- a/httemplate/misc/process/cancel_pkg.html +++ b/httemplate/misc/process/cancel_pkg.html @@ -1,24 +1,50 @@ +<% header("Package $past{$method}") %> +  <SCRIPT TYPE="text/javascript"> +    window.top.location.reload(); +  </SCRIPT> +  </BODY> +</HTML> +<%once> + +my %past = ( 'cancel'  => 'cancelled', +             'expire'  => 'expired', +             'suspend' => 'suspended', +             'adjourn' => 'adjourned', +           ); + +#i'm sure this is false laziness with somewhere, at least w/misc/cancel_pkg.html +my %right = ( 'cancel'  => 'Cancel customer package immediately', +              'expire'  => 'Cancel customer package later', +              'suspend' => 'Suspend customer package', +              'adjourn' => 'Suspend customer package later', +            ); + +</%once>  <%init> +  #untaint method  my $method = $cgi->param('method'); -$method =~ /^(cancel|expire|suspend|adjourn)$/ || die "Illegal method"; +$method =~ /^(cancel|expire|suspend|adjourn)$/ or die "Illegal method";  $method = $1; +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right($right{$method}); +  #untaint pkgnum  my $pkgnum = $cgi->param('pkgnum'); -$pkgnum =~ /^(\d+)$/ || die "Illegal pkgnum"; +$pkgnum =~ /^(\d+)$/ or die "Illegal pkgnum";  $pkgnum = $1;  #untaint reasonnum  my $reasonnum = $cgi->param('reasonnum'); -$reasonnum =~ /^(-?\d+)$/ || die "Illegal reasonnum"; +$reasonnum =~ /^(-?\d+)$/ or die "Illegal reasonnum";  $reasonnum = $1;  my $date = time;  if ($method eq 'expire' || $method eq 'adjourn'){    #untaint date    $date = $cgi->param('date'); -  str2time($cgi->param('date')) =~ /^(\d+)$/ || die "Illegal date"; +  str2time($cgi->param('date')) =~ /^(\d+)$/ or die "Illegal date";    $date = $1;  } @@ -65,15 +91,4 @@ if ($error) {  $dbh->commit or die $dbh->errstr if $oldAutoCommit; - my %past = ( 'cancel'  => 'cancelled', -              'expire'  => 'expired', -              'suspend' => 'suspended', -              'adjourn' => 'adjourned', -            );  </%init> -<% header("Package $past{$method}") %> -  <SCRIPT TYPE="text/javascript"> -    window.top.location.reload(); -  </SCRIPT> -  </BODY></HTML> - diff --git a/httemplate/misc/process/catchall.cgi b/httemplate/misc/process/catchall.cgi index f2899c720..0dda2eada 100755 --- a/httemplate/misc/process/catchall.cgi +++ b/httemplate/misc/process/catchall.cgi @@ -1,34 +1,35 @@ -% -% -%$FS::svc_domain::whois_hack=1; -% -%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!"; -%my $svcnum =$1; -% -%my $old = qsearchs('svc_domain',{'svcnum'=>$svcnum}) if $svcnum; -% -%my $new = new FS::svc_domain ( { -%  map { -%    ($_, scalar($cgi->param($_))); -%  } ( fields('svc_domain'), qw( pkgnum svcpart ) ) -%} ); -% -%$new->setfield('action' => 'M'); -% -%my $error; -%if ( $svcnum ) { -%  $error = $new->replace($old); -%} else { -%  $error = $new->insert; -%  $svcnum = $new->getfield('svcnum'); -%}  -%  %if ($error) {  %  $cgi->param('error', $error); -%  print $cgi->redirect(popurl(2). "catchall.cgi?". $cgi->query_string ); +<% $cgi->redirect(popurl(2). "catchall.cgi?". $cgi->query_string ) %>  %} else { -%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum"); +<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>  %} -% -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain catchall'); + +$FS::svc_domain::whois_hack=1; + +$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!"; +my $svcnum =$1; + +my $old = qsearchs('svc_domain',{'svcnum'=>$svcnum}) if $svcnum; + +my $new = new FS::svc_domain ( { +  map { +    ($_, scalar($cgi->param($_))); +  } ( fields('svc_domain'), qw( pkgnum svcpart ) ) +} ); + +$new->setfield('action' => 'M'); + +my $error; +if ( $svcnum ) { +  $error = $new->replace($old); +} else { +  $error = $new->insert; +  $svcnum = $new->getfield('svcnum'); +}  +</%init> diff --git a/httemplate/misc/process/cdr-import.html b/httemplate/misc/process/cdr-import.html index 93137c3d0..4848fa325 100644 --- a/httemplate/misc/process/cdr-import.html +++ b/httemplate/misc/process/cdr-import.html @@ -1,30 +1,22 @@ -% -% -%  my $fh = $cgi->upload('csvfile'); -% -%  my $error = defined($fh) -%    ? FS::cdr::batch_import( { -%        'filehandle' => $fh, -%        'format'     => $cgi->param('format'), -%      } ) -%    : 'No file'; -% -%  if ( $error ) { -%     - -    <!-- mason kludge --> -% -% errorpage($error); -%#    $cgi->param('error', $error); -%#    print $cgi->redirect( "${p}cust_main-import.cgi -%  } else { -%     - -    <!-- mason kludge --> +% if ( $error ) { +%   errorpage($error); +% } else {      <% include("/elements/header.html",'Import successful') %>      <!-- XXX redirect to batch search like the payment entry... -->      <% include("/elements/footer.html",'Import successful') %>  -% -%  } -% +% } +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +my $fh = $cgi->upload('csvfile'); + +my $error = defined($fh) +  ? FS::cdr::batch_import( { +      'filehandle' => $fh, +      'format'     => $cgi->param('format'), +    } ) +  : 'No file'; +</%init> diff --git a/httemplate/misc/process/cust_main-import.cgi b/httemplate/misc/process/cust_main-import.cgi index c8d1b6cd1..aa8cd5298 100644 --- a/httemplate/misc/process/cust_main-import.cgi +++ b/httemplate/misc/process/cust_main-import.cgi @@ -1,35 +1,28 @@ -% -% -%  my $fh = $cgi->upload('csvfile'); -%  #warn $cgi; -%  #warn $fh; -% -%  my $error = defined($fh) -%    ? FS::cust_main::batch_import( { -%        filehandle => $fh, -%        agentnum   => scalar($cgi->param('agentnum')), -%        refnum     => scalar($cgi->param('refnum')), -%        pkgpart    => scalar($cgi->param('pkgpart')), -%        #'fields'    => [qw( cust_pkg.setup dayphone first last address1 address2 -%        #                   city state zip comments                          )], -%        'format'   => scalar($cgi->param('format')), -%      } ) -%    : 'No file'; -% -%  if ( $error ) { -%     - -    <!-- mason kludge --> -% -% errorpage($error); -%#    $cgi->param('error', $error); -%#    print $cgi->redirect( "${p}cust_main-import.cgi +% if ( $error ) { +%   errorpage($error);  %  } else { -%     - -    <!-- mason kludge --> -    <% include("/elements/header.html",'Import successful') %>  -% +    <% include('/elements/header.html','Import successful') %>  +    <% include('/elements/footer.html') %>   %  } -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +my $fh = $cgi->upload('csvfile'); +#warn $cgi; +#warn $fh; + +my $error = defined($fh) +  ? FS::cust_main::batch_import( { +      filehandle => $fh, +      agentnum   => scalar($cgi->param('agentnum')), +      refnum     => scalar($cgi->param('refnum')), +      pkgpart    => scalar($cgi->param('pkgpart')), +      #'fields'    => [qw( cust_pkg.setup dayphone first last address1 address2 +      #                   city state zip comments                          )], +      'format'   => scalar($cgi->param('format')), +    } ) +  : 'No file'; +</%init> diff --git a/httemplate/misc/process/cust_main-import_charges.cgi b/httemplate/misc/process/cust_main-import_charges.cgi index 1a29bf600..3ca68944a 100644 --- a/httemplate/misc/process/cust_main-import_charges.cgi +++ b/httemplate/misc/process/cust_main-import_charges.cgi @@ -1,30 +1,23 @@ -% -% -%  my $fh = $cgi->upload('csvfile'); -%  #warn $cgi; -%  #warn $fh; -% -%  my $error = defined($fh) -%    ? FS::cust_main::batch_charge( { -%        filehandle => $fh, -%        'fields'    => [qw( custnum amount pkg )], -%      } ) -%    : 'No file'; -% -%  if ( $error ) { -%     - -    <!-- mason kludge --> -% -% errorpage($error); -%#    $cgi->param('error', $error); -%#    print $cgi->redirect( "${p}cust_main-import_charges.cgi +% if ( $error ) { +%   errorpage($error);  %  } else { -%     - -    <!-- mason kludge --> -    <% include("/elements/header.html",'Import successful') %>  -% +     <% include('/elements/header.html','Import successful') %>  +     <% include('/elements/footer.html') %>   %  } -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +my $fh = $cgi->upload('csvfile'); +#warn $cgi; +#warn $fh; + +my $error = defined($fh) +  ? FS::cust_main::batch_charge( { +      filehandle => $fh, +      'fields'    => [qw( custnum amount pkg )], +    } ) +  : 'No file'; +</%init> diff --git a/httemplate/misc/process/delete-customer.cgi b/httemplate/misc/process/delete-customer.cgi index d0d237ee8..d509a5e0e 100755 --- a/httemplate/misc/process/delete-customer.cgi +++ b/httemplate/misc/process/delete-customer.cgi @@ -1,30 +1,33 @@ -% -% -%my $conf = new FS::Conf; -%die "Customer deletions not enabled" unless $conf->exists('deletecustomers'); -% -%$cgi->param('custnum') =~ /^(\d+)$/; -%my $custnum = $1; -%my $new_custnum; -%if ( $cgi->param('new_custnum') ) { -%  $cgi->param('new_custnum') =~ /^(\d+)$/ -%    or die "Illegal new customer number: ". $cgi->param('new_custnum'); -%  $new_custnum = $1; -%} else { -%  $new_custnum = ''; -%} -%my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } ) -%  or die "Customer not found: $custnum"; -% -%my $error = $cust_main->delete($new_custnum); -%  %if ( $error ) {  %  $cgi->param('error', $error); -%  print $cgi->redirect(popurl(2). "delete-customer.cgi?". $cgi->query_string ); +<% $cgi->redirect(popurl(2). "delete-customer.cgi?". $cgi->query_string ) %>  %} elsif ( $new_custnum ) { -%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$new_custnum"); +<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$new_custnum") %>  %} else { -%  print $cgi->redirect(popurl(3)); +<% $cgi->redirect(popurl(3)) %>  %} -% +<%init> + +my $conf = new FS::Conf; +die "Customer deletions not enabled in configuration" +  unless $conf->exists('deletecustomers'); + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Delete customer'); + +$cgi->param('custnum') =~ /^(\d+)$/; +my $custnum = $1; +my $new_custnum; +if ( $cgi->param('new_custnum') ) { +  $cgi->param('new_custnum') =~ /^(\d+)$/ +    or die "Illegal new customer number: ". $cgi->param('new_custnum'); +  $new_custnum = $1; +} else { +  $new_custnum = ''; +} +my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } ) +  or die "Customer not found: $custnum"; + +my $error = $cust_main->delete($new_custnum); +</%init> diff --git a/httemplate/misc/process/inventory_item-import.html b/httemplate/misc/process/inventory_item-import.html index 51337529f..3aae202c7 100644 --- a/httemplate/misc/process/inventory_item-import.html +++ b/httemplate/misc/process/inventory_item-import.html @@ -1,31 +1,22 @@ -% -% -%  my $fh = $cgi->upload('filename'); -% -%  my $error = defined($fh) -%    ? FS::inventory_item::batch_import( { -%        'filehandle' => $fh, -%        'classnum'   => $cgi->param('classnum'), -%      } ) -%    : 'No file'; -% -%  if ( $error ) { -%     - -    <!-- mason kludge --> -% -% errorpage($error); -%#    $cgi->param('error', $error); -%#    print $cgi->redirect( "${p}cust_main-import.cgi -%  } else { -%     - -    <!-- mason kludge --> +% if ( $error ) { +%   errorpage($error); +% } else {      <% include("/elements/header.html",'Import successful') %>      <!-- XXX redirect to batch search like the payment entry... -->      <% include("/elements/footer.html",'Import successful') %>  -%  %  } -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Import'); + +my $fh = $cgi->upload('filename'); +my $error = defined($fh) +  ? FS::inventory_item::batch_import( { +      'filehandle' => $fh, +      'classnum'   => $cgi->param('classnum'), +    } ) +  : 'No file'; +</%init> diff --git a/httemplate/misc/process/link.cgi b/httemplate/misc/process/link.cgi index 66f4ee11d..960326747 100755 --- a/httemplate/misc/process/link.cgi +++ b/httemplate/misc/process/link.cgi @@ -1,76 +1,72 @@ -% -% -%my $DEBUG = 0; -% -%$cgi->param('pkgnum') =~ /^(\d+)$/; -%my $pkgnum = $1; -%$cgi->param('svcpart') =~ /^(\d+)$/; -%my $svcpart = $1; -%$cgi->param('svcnum') =~ /^(\d*)$/; -%my $svcnum = $1; -% -%unless ( $svcnum ) { -%  my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart}); -%  my $svcdb = $part_svc->getfield('svcdb'); -%  $cgi->param('link_field') =~ /^(\w+)$/; -%  my $link_field = $1; -%  my %search = ( $link_field => $cgi->param('link_value') ); -%  if ( $cgi->param('link_field2') =~ /^(\w+)$/ ) { -%    $search{$1} = $cgi->param('link_value2'); -%  } -% -%  my @svc_x = ( sort { ($a->cust_svc->pkgnum > 0) <=> ($b->cust_svc->pkgnum > 0) -%                       or ($b->cust_svc->svcpart == $svcpart) -%                            <=> ($a->cust_svc->svcpart == $svcpart) -%                     } -%                     qsearch( $svcdb, \%search ) -%              ); -% -%  if ( $DEBUG ) { -%    warn scalar(@svc_x). " candidate accounts found for linking ". -%         "(svcpart $svcpart):\n"; -%    foreach my $svc_x ( @svc_x ) { -%      warn "  ". $svc_x->email. -%           " (svcnum ". $svc_x->svcnum. ",". -%           " pkgnum ".  $svc_x->cust_svc->pkgnum. ",". -%           " svcpart ". $svc_x->cust_svc->svcpart. ")\n"; -%    } -%  } -% -%  my $svc_x = $svc_x[0]; -% -%  errorpage("$link_field not found!") unless $svc_x; -% -%  $svcnum = $svc_x->svcnum; -% -%} -% -%my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}); -%die "svcnum not found!" unless $old; -%my $conf = new FS::Conf; -%my($error, $new); -%if ( $old->pkgnum && ! $conf->exists('legacy_link-steal') ) { -%  $error = "svcnum $svcnum already linked to package ". $old->pkgnum; -%} else { -%  $new = new FS::cust_svc { $old->hash }; -%  $new->pkgnum($pkgnum); -%  $new->svcpart($svcpart); -% -%  $error = $new->replace($old); -%} -%  %unless ($error) {  %  #no errors, so let's view this customer.  %  my $custnum = $new->cust_pkg->custnum; -%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum". -%                       "#cust_pkg$pkgnum" ); +<% $cgi->redirect(popurl(3). "view/cust_main.cgi?<%$custnum%>#cust_pkg<%$pkgnum%>" ) %>  %} else { -% - -<!-- mason kludge --> -%  % errorpage($error);  %} -% -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services'); + +my $DEBUG = 0; + +$cgi->param('pkgnum') =~ /^(\d+)$/; +my $pkgnum = $1; +$cgi->param('svcpart') =~ /^(\d+)$/; +my $svcpart = $1; +$cgi->param('svcnum') =~ /^(\d*)$/; +my $svcnum = $1; + +unless ( $svcnum ) { +  my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart}); +  my $svcdb = $part_svc->getfield('svcdb'); +  $cgi->param('link_field') =~ /^(\w+)$/; +  my $link_field = $1; +  my %search = ( $link_field => $cgi->param('link_value') ); +  if ( $cgi->param('link_field2') =~ /^(\w+)$/ ) { +    $search{$1} = $cgi->param('link_value2'); +  } + +  my @svc_x = ( sort { ($a->cust_svc->pkgnum > 0) <=> ($b->cust_svc->pkgnum > 0) +                       or ($b->cust_svc->svcpart == $svcpart) +                            <=> ($a->cust_svc->svcpart == $svcpart) +                     } +                     qsearch( $svcdb, \%search ) +              ); + +  if ( $DEBUG ) { +    warn scalar(@svc_x). " candidate accounts found for linking ". +         "(svcpart $svcpart):\n"; +    foreach my $svc_x ( @svc_x ) { +      warn "  ". $svc_x->email. +           " (svcnum ". $svc_x->svcnum. ",". +           " pkgnum ".  $svc_x->cust_svc->pkgnum. ",". +           " svcpart ". $svc_x->cust_svc->svcpart. ")\n"; +    } +  } + +  my $svc_x = $svc_x[0]; + +  errorpage("$link_field not found!") unless $svc_x; + +  $svcnum = $svc_x->svcnum; + +} + +my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}); +die "svcnum not found!" unless $old; +my $conf = new FS::Conf; +my($error, $new); +if ( $old->pkgnum && ! $conf->exists('legacy_link-steal') ) { +  $error = "svcnum $svcnum already linked to package ". $old->pkgnum; +} else { +  $new = new FS::cust_svc { $old->hash }; +  $new->pkgnum($pkgnum); +  $new->svcpart($svcpart); + +  $error = $new->replace($old); +} +</%init> diff --git a/httemplate/misc/process/meta-import.cgi b/httemplate/misc/process/meta-import.cgi index 1cf178c08..68ae49c60 100644 --- a/httemplate/misc/process/meta-import.cgi +++ b/httemplate/misc/process/meta-import.cgi @@ -1,4 +1,3 @@ -<!-- mason kludge -->  <% include("/elements/header.html",'Map tables') %>  <SCRIPT> @@ -183,5 +182,9 @@ function SafeOnsubmit() {  %  %  <%init> -die "meta-import script not currently enabled"; #make XSS-safe if this is used for more than just admins to import data.... + +#there's no ACL for this...  haven't used in ages +#make XSS-safe if this is used for more than just admins to import data.... +die 'meta-import not enabled; remove this if you want to use it'; +  </%init> diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi index 889670d12..2baca1e39 100644 --- a/httemplate/misc/process/payment.cgi +++ b/httemplate/misc/process/payment.cgi @@ -15,6 +15,9 @@  % }  <%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Process payment'); +  #some false laziness w/MyAccount::process_payment  $cgi->param('custnum') =~ /^(\d+)$/ diff --git a/httemplate/misc/process/recharge_svc.html b/httemplate/misc/process/recharge_svc.html index e540c385c..147b9533a 100755 --- a/httemplate/misc/process/recharge_svc.html +++ b/httemplate/misc/process/recharge_svc.html @@ -1,31 +1,3 @@ -% -% -%#untaint svcnum -%my $svcnum = $cgi->param('svcnum'); -%$svcnum =~ /^(\d+)$/ || die "Illegal svcnum"; -%$svcnum = $1; -% -%#untaint prepaid -%my $prepaid = $cgi->param('prepaid'); -%$prepaid =~ /^(\w*)$/; -%$prepaid = $1; - -%#untaint payby -%my $payby = $cgi->param('payby'); -%$payby =~ /^([A-Z]*)$/; -%$payby = $1; -% -%my $error = ''; -%my $svc_acct = qsearchs( 'svc_acct', {'svcnum'=>$svcnum} ); -%$error = "Can't recharge service $svcnum. " unless $svc_acct; -% -%my $cust_main = $svc_acct->cust_svc->cust_pkg->cust_main; -% -%my $oldAutoCommit = $FS::UID::AutoCommit; -%local $FS::UID::AutoCommit = 0; -%my $dbh = dbh; -% -%  %unless ($error) {  %  %  my ($amount, $seconds, $up, $down, $total) = (0, 0, 0, 0, 0); @@ -86,5 +58,35 @@    </SCRIPT>    </BODY></HTML>  <%init> +  my $conf = new FS::Conf; + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Recharge customer service'); + +#untaint svcnum +my $svcnum = $cgi->param('svcnum'); +$svcnum =~ /^(\d+)$/ || die "Illegal svcnum"; +$svcnum = $1; + +#untaint prepaid +my $prepaid = $cgi->param('prepaid'); +$prepaid =~ /^(\w*)$/; +$prepaid = $1; + +#untaint payby +my $payby = $cgi->param('payby'); +$payby =~ /^([A-Z]*)$/; +$payby = $1; + +my $error = ''; +my $svc_acct = qsearchs( 'svc_acct', {'svcnum'=>$svcnum} ); +$error = "Can't recharge service $svcnum. " unless $svc_acct; + +my $cust_main = $svc_acct->cust_svc->cust_pkg->cust_main; + +my $oldAutoCommit = $FS::UID::AutoCommit; +local $FS::UID::AutoCommit = 0; +my $dbh = dbh; +  </%init> diff --git a/httemplate/misc/queue.cgi b/httemplate/misc/queue.cgi index 7370aabe1..5dee29b88 100644 --- a/httemplate/misc/queue.cgi +++ b/httemplate/misc/queue.cgi @@ -1,48 +1,49 @@ -% -% -%$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/ -%  or die "Illegal action"; -%my $action = $1; -% -%my $job; -%if ( $action eq 'new' || $action eq 'del' ) { -%  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum"; -%  my $jobnum = $1; -%  $job = qsearchs('queue', { 'jobnum' => $1 }) -%    or die "unknown jobnum $jobnum - ". -%           "it probably completed normally or was removed by another user"; -%} -% -%if ( $action eq 'new' ) { -%  my %hash = $job->hash; -%  $hash{'status'} = 'new'; -%  $hash{'statustext'} = ''; -%  my $new = new FS::queue \%hash; -%  my $error = $new->replace($job); -%  die $error if $error; -%} elsif ( $action eq 'del' ) { -%  my $error = $job->delete; -%  die $error if $error; -%} elsif ( $action =~ /^(retry|remove) selected$/ ) { -%  foreach my $jobnum ( -%    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param -%  ) { -%    my $job = qsearchs('queue', { 'jobnum' => $jobnum }); -%    if ( $action eq 'retry selected' && $job ) { #new -%      my %hash = $job->hash; -%      $hash{'status'} = 'new'; -%      $hash{'statustext'} = ''; -%      my $new = new FS::queue \%hash; -%      my $error = $new->replace($job); -%      die $error if $error; -%    } elsif ( $action eq 'remove selected' && $job ) { #del -%      my $error = $job->delete; -%      die $error if $error; -%    } -%  } -%} -% -%print $cgi->redirect(popurl(2). "search/queue.html"); -% -% +<% $cgi->redirect(popurl(2). "search/queue.html") %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Job queue'); + +$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/ +  or die "Illegal action"; +my $action = $1; + +my $job; +if ( $action eq 'new' || $action eq 'del' ) { +  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum"; +  my $jobnum = $1; +  $job = qsearchs('queue', { 'jobnum' => $1 }) +    or die "unknown jobnum $jobnum - ". +           "it probably completed normally or was removed by another user"; +} + +if ( $action eq 'new' ) { +  my %hash = $job->hash; +  $hash{'status'} = 'new'; +  $hash{'statustext'} = ''; +  my $new = new FS::queue \%hash; +  my $error = $new->replace($job); +  die $error if $error; +} elsif ( $action eq 'del' ) { +  my $error = $job->delete; +  die $error if $error; +} elsif ( $action =~ /^(retry|remove) selected$/ ) { +  foreach my $jobnum ( +    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param +  ) { +    my $job = qsearchs('queue', { 'jobnum' => $jobnum }); +    if ( $action eq 'retry selected' && $job ) { #new +      my %hash = $job->hash; +      $hash{'status'} = 'new'; +      $hash{'statustext'} = ''; +      my $new = new FS::queue \%hash; +      my $error = $new->replace($job); +      die $error if $error; +    } elsif ( $action eq 'remove selected' && $job ) { #del +      my $error = $job->delete; +      die $error if $error; +    } +  } +} + +</%init> diff --git a/httemplate/misc/recharge_svc.html b/httemplate/misc/recharge_svc.html index a3de13d92..2302f3fd3 100755 --- a/httemplate/misc/recharge_svc.html +++ b/httemplate/misc/recharge_svc.html @@ -28,7 +28,7 @@  </TR>  <TR>    <TD>Enter prepaid card: </TD> -  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD> +  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid |h %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD>  </TR>  </TABLE> @@ -37,35 +37,42 @@  <INPUT TYPE="submit" NAME="submit" VALUE="Recharge">  </FORM> -</BODY> -</HTML> + +<% include('/elements/footer.html');  <%once> +  my $conf = new FS::Conf;  my $money_char = $conf->config('money_char') || '$'; +  </%once>  <%init> -my($svcnum, $cust_svc, $part_pkg, $label, $value, $prepaid, $amount, $payby);  + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Recharge customer service'); + +my($svcnum, $prepaid, $payby);   if ( $cgi->param('error') ) {    $svcnum        = $cgi->param('svcnum');    $prepaid       = $cgi->param('prepaid');    $payby         = $cgi->param('payby');  } elsif ( $cgi->param('svcnum') =~ /^(\d+)$/ ) {    $svcnum  = $1; +  $prepaid = '';  } else {    die "illegal query ". $cgi->keywords;  }  my $title = 'Recharge Service'; -$cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum}); +my $cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum});  die "No such service: $svcnum" unless $cust_svc; -($label, $value) = $cust_svc->label; +my($label, $value) = $cust_svc->label;  $payby = $cust_svc->cust_pkg->cust_main->payby unless $payby; -$part_pkg = $cust_svc->cust_pkg->part_pkg; -$amount = $part_pkg->option('recharge_amount', 1) || 0; +my $part_pkg = $cust_svc->cust_pkg->part_pkg; +my $amount = $part_pkg->option('recharge_amount', 1) || 0;  my $recharge_label = "Charge $money_char$amount for "; diff --git a/httemplate/misc/svc_acct-domains.cgi b/httemplate/misc/svc_acct-domains.cgi index a49a02305..573457483 100644 --- a/httemplate/misc/svc_acct-domains.cgi +++ b/httemplate/misc/svc_acct-domains.cgi @@ -1,31 +1,31 @@ -% -% -%  my $pkgpart_svcpart = $cgi->param('arg'); -%  $pkgpart_svcpart =~ /^\d+_(\d+)$/; -%  my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1; -%  my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc; -% -%  my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column; -%  my $columnflag = $part_svc_column->columnflag if $part_svc_column; -%  my @svc_domain = (); -%  my %seen = (); -%   -%  foreach (@output) { -%    my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ }) -%      or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ". -%         "svcpart = " . $part_svc->svcpart; -%    push @svc_domain, [ $_ => $svc_domain->domain ]; -%    $seen{$_}++; -%  } -%  if ($conf->exists('svc_acct-alldomains') -%       && ( $columnflag eq 'D' || $columnflag eq '' ) -%     ) { -%    foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){ -%      push @svc_domain, [ $_->svcnum => $_->domain ]; -%    } -%  } -%  [ <% join(', ', map { qq("$_->[0]", "$_->[1]") } @svc_domain) %> ]  <%init> +  my $conf = new FS::Conf; + +my $pkgpart_svcpart = $cgi->param('arg'); +$pkgpart_svcpart =~ /^\d+_(\d+)$/; +my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1; +my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc; + +my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column; +my $columnflag = $part_svc_column->columnflag if $part_svc_column; +my @svc_domain = (); +my %seen = (); + +foreach (@output) { +  my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ }) +    or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ". +       "svcpart = " . $part_svc->svcpart; +  push @svc_domain, [ $_ => $svc_domain->domain ]; +  $seen{$_}++; +} +if ($conf->exists('svc_acct-alldomains') +     && ( $columnflag eq 'D' || $columnflag eq '' ) +   ) { +  foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){ +    push @svc_domain, [ $_->svcnum => $_->domain ]; +  } +} +  </%init> diff --git a/httemplate/misc/unapply-cust_credit.cgi b/httemplate/misc/unapply-cust_credit.cgi index f8fa63268..ed739ac1b 100755 --- a/httemplate/misc/unapply-cust_credit.cgi +++ b/httemplate/misc/unapply-cust_credit.cgi @@ -1,19 +1,20 @@ -% -% -%#untaint crednum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal crednum"; -%my $crednum = $1; -% -%my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } ); -%my $custnum = $cust_credit->custnum; -% -%foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) { -%  my $error = $cust_credit_bill->delete; -%  errorpage($error) if $error; -%} -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unapply credit'); + +#untaint crednum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal crednum"; +my $crednum = $1; + +my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } ); +my $custnum = $cust_credit->custnum; + +foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) { +  my $error = $cust_credit_bill->delete; +  errorpage($error) if $error; +} + +</%init> diff --git a/httemplate/misc/unapply-cust_pay.cgi b/httemplate/misc/unapply-cust_pay.cgi index 6bd6c07ee..8cdac180b 100755 --- a/httemplate/misc/unapply-cust_pay.cgi +++ b/httemplate/misc/unapply-cust_pay.cgi @@ -1,19 +1,20 @@ -% -% -%#untaint paynum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal paynum"; -%my $paynum = $1; -% -%my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } ); -%my $custnum = $cust_pay->custnum; -% -%foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) { -%  my $error = $cust_bill_pay->delete; -%  errorpage($error) if $error; -%} -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unapply payment'); + +#untaint paynum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal paynum"; +my $paynum = $1; + +my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } ); +my $custnum = $cust_pay->custnum; + +foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) { +  my $error = $cust_bill_pay->delete; +  errorpage($error) if $error; +} + +</%init> diff --git a/httemplate/misc/unprovision.cgi b/httemplate/misc/unprovision.cgi index b5e510695..4ab15fdc0 100755 --- a/httemplate/misc/unprovision.cgi +++ b/httemplate/misc/unprovision.cgi @@ -1,31 +1,26 @@ -% -% -%my $dbh = dbh; -%  -%#untaint svcnum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/; -%my $svcnum = $1; -% -%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum}); -%#die "Unknown svcnum!" unless $svc_acct; -% -%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum}); -%die "Unknown svcnum!" unless $cust_svc; -% -%my $custnum = $cust_svc->cust_pkg->custnum; -% -%my $error = $cust_svc->cancel; -%  %if ( $error ) { -%   - -<!-- mason kludge --> -%  %  errorpage($error);  %} else { -%  print $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum"); +<% $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum") %>  %} -% -% +<%init> + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service'); + +#untaint svcnum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/; +my $svcnum = $1; + +#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum}); +#die "Unknown svcnum!" unless $svc_acct; + +my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum}); +die "Unknown svcnum!" unless $cust_svc; + +my $custnum = $cust_svc->cust_pkg->custnum; + +my $error = $cust_svc->cancel; +</%init> diff --git a/httemplate/misc/unsusp_pkg.cgi b/httemplate/misc/unsusp_pkg.cgi index 80188c668..b350693dd 100755 --- a/httemplate/misc/unsusp_pkg.cgi +++ b/httemplate/misc/unsusp_pkg.cgi @@ -1,16 +1,20 @@ -% -% -%#untaint pkgnum -%my ($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal pkgnum"; -%my $pkgnum = $1; -% -%my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum}); -% -%my $error = $cust_pkg->unsuspend; -%errorpage($error) if $error; -% -%print $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum')); -% -% +%if ( $error ) { +%  errorpage($error); +%} else { +<% $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum')) %> +%} +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unsuspend customer package'); + +#untaint pkgnum +my ($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal pkgnum"; +my $pkgnum = $1; + +my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum}); + +my $error = $cust_pkg->unsuspend; + +</%init> diff --git a/httemplate/misc/unvoid-cust_pay_void.cgi b/httemplate/misc/unvoid-cust_pay_void.cgi index 625431a57..91fe1c223 100755 --- a/httemplate/misc/unvoid-cust_pay_void.cgi +++ b/httemplate/misc/unvoid-cust_pay_void.cgi @@ -1,17 +1,21 @@ -% -% -%#untaint paynum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal paynum"; -%my $paynum = $1; -% -%my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } ); -%my $custnum = $cust_pay_void->custnum; -% -%my $error = $cust_pay_void->unvoid; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +%if ( $error ) { +%  errorpage($error); +%} else { +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +%} +<%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Unvoid'); + +#untaint paynum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal paynum"; +my $paynum = $1; + +my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } ); +my $custnum = $cust_pay_void->custnum; + +my $error = $cust_pay_void->unvoid; + +</%init> diff --git a/httemplate/misc/upload-batch.cgi b/httemplate/misc/upload-batch.cgi index 5a15008b0..d1a84fd02 100644 --- a/httemplate/misc/upload-batch.cgi +++ b/httemplate/misc/upload-batch.cgi @@ -1,17 +1,14 @@ -%  if ( $error ) { - -    <!-- mason kludge --> - -%    errorpage($error); -%#    $cgi->param('error', $error); -%#    print $cgi->redirect( "${p}cust_main-import.cgi -%  } else { - -    <% include("/elements/header.html",'Batch results upload successful') %>  - -%  } +% if ( $error ) { +%   errorpage($error); +% } else { +    <% include('/elements/header.html','Batch results upload successful') %>  +    <% include('/elements/footer.html') %>  +% }  <%init> +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right('Process batches'); +  my $error;  my $fh = $cgi->upload('batch_results'); diff --git a/httemplate/misc/void-cust_pay.cgi b/httemplate/misc/void-cust_pay.cgi index 972a1a5bd..7b484e93e 100755 --- a/httemplate/misc/void-cust_pay.cgi +++ b/httemplate/misc/void-cust_pay.cgi @@ -1,17 +1,26 @@ -% -% -%#untaint paynum -%my($query) = $cgi->keywords; -%$query =~ /^(\d+)$/ || die "Illegal paynum"; -%my $paynum = $1; -% -%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum}); -%my $custnum = $cust_pay->custnum; -% -%my $error = $cust_pay->void; -%errorpage($error) if $error; -% -%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum); -% -% +%if ( $error ) { +%  errorpage($error); +%} else { +<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %> +%} +<%init> +#untaint paynum +my($query) = $cgi->keywords; +$query =~ /^(\d+)$/ || die "Illegal paynum"; +my $paynum = $1; + +my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum}); + +my $right = 'Regular void'; +$right = 'Credit card void' if $cust_pay->payby eq 'CARD'; +$right = 'Echeck void'      if $cust_pay->payby eq 'CHEK'; + +die "access denied" +  unless $FS::CurrentUser::CurrentUser->access_right($right); + +my $custnum = $cust_pay->custnum; + +my $error = $cust_pay->void; + +</%init> diff --git a/httemplate/misc/whois.cgi b/httemplate/misc/whois.cgi index d3d9649fd..35d0eccc9 100644 --- a/httemplate/misc/whois.cgi +++ b/httemplate/misc/whois.cgi @@ -1,10 +1,3 @@ -% -%  my $svcnum = $cgi->param('svcnum'); -%  my $custnum = $cgi->param('custnum'); -%  my $domain = $cgi->param('domain'); -% -% -  <% include("/elements/header.html","Whois $domain", menubar(    ( $custnum      ? ( "View this customer (#$custnum)" => "${p}view/cust_main.cgi?$custnum", @@ -12,16 +5,23 @@      : ()    ),    "View this domain (#$svcnum)" => "${p}view/svc_domain.cgi?$svcnum", -  "Main menu" => $p,  )) %> -% my $whois = eval { whois($domain) }; -%   if ( $@ ) { -%     ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s; -%   } else { -%     $whois =~ s/^\n+//; -%   } -%  <PRE><% $whois %></PRE> -</BODY> -</HTML> + +<% include('/elements/footer.html') %> + +<%init> + +my $svcnum = $cgi->param('svcnum'); +my $custnum = $cgi->param('custnum'); +my $domain = $cgi->param('domain'); + +my $whois = eval { whois($domain) }; +  if ( $@ ) { +    ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s; +  } else { +    $whois =~ s/^\n+//; +  } + +</%init> | 
