summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorivan <ivan>2008-01-17 04:23:21 +0000
committerivan <ivan>2008-01-17 04:23:21 +0000
commit9e9ec0df33198dee12cfe7dc6c84cd899834efc7 (patch)
tree54604f6b252143e670c5239eee7c0cb5de26ad32
parentb599898e39e2a882f959ccbd9e99061c69785c42 (diff)
fix ACLs to allow the limited "package editing" of customizing customer packages
Diffstat
-rwxr-xr-xhttemplate/edit/part_pkg.cgi10
-rwxr-xr-xhttemplate/edit/process/part_pkg.cgi12
2 files changed, 16 insertions, 6 deletions
diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi
index 961b95f47..49f691bfd 100755
--- a/httemplate/edit/part_pkg.cgi
+++ b/httemplate/edit/part_pkg.cgi
@@ -240,6 +240,7 @@ Line-item revenue recognition
% delete $freq{$_} foreach grep { ! /^\d+$/ } keys %freq;
%}
%
+%#this should be replaced by /elements/selectlayers.html
%my $widget = new HTML::Widgets::SelectLayers(
% 'selected_layer' => $part_pkg->plan,
% 'options' => \%options,
@@ -360,9 +361,6 @@ Line-item revenue recognition
<% include('/elements/footer.html') %>
<%init>
-die "access denied"
- unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
-
if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
$cgi->param('clone', $1);
} else {
@@ -374,6 +372,12 @@ if ( $cgi->param('pkgnum') && $cgi->param('pkgnum') =~ /^(\d+)$/ ) {
$cgi->param('pkgnum', '');
}
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+die "access denied"
+ unless $curuser->access_right('Configuration')
+ || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
my ($query) = $cgi->keywords;
my $conf = new FS::Conf;
diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi
index e3ba1b576..456a7bcd0 100755
--- a/httemplate/edit/process/part_pkg.cgi
+++ b/httemplate/edit/process/part_pkg.cgi
@@ -11,9 +11,6 @@
%}
<%init>
-die "access denied"
- unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
-
my $dbh = dbh;
my $conf = new FS::Conf;
@@ -69,6 +66,8 @@ my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
map { $_->svcpart }
qsearch('part_svc', {} );
+my $curuser = $FS::CurrentUser::CurrentUser;
+
my $custnum = '';
if ( $error ) {
@@ -80,12 +79,19 @@ if ( $error ) {
} elsif ( $pkgpart ) {
+ die "access denied"
+ unless $curuser->access_right('Configuration')
+
$error = $new->replace( $old,
pkg_svc => \%pkg_svc,
primary_svc => scalar($cgi->param('pkg_svc_primary')),
);
} else {
+ die "access denied"
+ unless $curuser->access_right('Configuration')
+ || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
$error = $new->insert( pkg_svc => \%pkg_svc,
primary_svc => scalar($cgi->param('pkg_svc_primary')),
cust_pkg => $cgi->param('pkgnum'),
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-27 09:26:55 +0000