ACLs, take three or four or something

3 files changed, 72 insertions, 11 deletions

diff --git a/FS/FS/AccessRight.pm b/FS/FS/AccessRight.pm
index 5229e1e65..f04779a07 100644
--- a/FS/FS/AccessRight.pm
+++ b/FS/FS/AccessRight.pm
@@ -84,10 +84,13 @@ assigned to users and/or groups.
   #'View Customer | View tickets',
   'Edit customer',
   'Cancel customer',
-  'Delete customer',
+  'Complimentary customer', #aka users-allow_comp 
+  'Delete customer', #aka. deletecustomers #Enable customer deletions. Be very careful! Deleting a customer will remove all traces that this customer ever existed! It should probably only be used when auditing a legacy database. Normally, you cancel all of a customers' packages if they cancel service.
 
   'Order customer package',
+  'One-time charge',
   'Change customer package',
+  'Bulk change customer packages',
   'Edit customer package dates',
   'Customize customer package',
   'Suspend customer package',
@@ -95,14 +98,43 @@ assigned to users and/or groups.
   'Cancel customer package immediately',
   'Cancel customer package later',
 
-  'Provision service',
-  'Unprovision service',
-  #legacy link stuff
+  'Provision customer service',
+  'Unprovision customer service',
+
+  'View/link unlinked services', #not agent-virtualizable without more work
+
+  'View invoices',
 
   'Post payment',
+  'Post payment batch',
+  'Unapply payment', #aka. unapplypayments Enable "unapplication" of unclosed payments.
   'Process payment',
+  'Refund payment',
+
+  'Delete payment', #aka. deletepayments - Enable deletion of unclosed payments. Be very careful! Only delete payments that were data-entry errors, not adjustments. Optionally specify one or more comma-separated email addresses to be notified when a payment is deleted.
+
   'Post credit',
-  #more financial stuff
+  #'Apply credit',
+  'Unapply credit', #aka unapplycredits Enable "unapplication" of unclosed credits.
+  'Delete credit', #aka. deletecredits Enable deletion of unclosed credits. Be very careful! Only delete credits that were data-entry errors, not adjustments. Optionally specify one or more comma-separated email addresses to be notified when a credit is deleted.
+
+  'Credit card void', #aka. cc-void #Enable local-only voiding of echeck payments in addition to refunds against the payment gateway
+  'Echeck void', #aka. echeck-void #Enable local-only voiding of echeck payments in addition to refunds against the payment gateway
+  'Unvoid', #aka. unvoid #Enable unvoiding of voided payments
+
+  'List customers',
+  #'List zip codes',
+  'List invoices',
+  'List packages',
+  'List services',
+
+  'Financial reports',
+
+  'Job queue', # these are not currently agent-virtualized
+  'Import',    #
+  'Export',    #
+
+  'Configuration', #none of the configuraiton is agent-virtualized either
 
 );
 
diff --git a/FS/FS/access_user.pm b/FS/FS/access_user.pm
index c95d02984..e3bf2cb9f 100644
--- a/FS/FS/access_user.pm
+++ b/FS/FS/access_user.pm
@@ -192,6 +192,29 @@ sub agentnums_sql {
   ' )';
 }
 
+=item access_right
+
+Given a right name, returns true if this user has this right (currently via
+group membership, eventually also via user overrides).
+
+=cut
+
+sub access_right {
+  my( $self, $rightname ) = @_;
+  my $sth = dbh->prepare("
+    SELECT groupnum FROM access_usergroup
+                    LEFT JOIN access_group USING ( groupnum )
+                    LEFT JOIN access_right
+                         ON ( access_group.groupnum = access_right.rightobjnum )
+      WHERE usernum = ?
+        AND righttype = 'FS::access_group'
+        AND rightname = ?
+  ") or die dbh->errstr;
+  $sth->execute($self->usernum, $rightname) or die $sth->errstr;
+  my $row = $sth->fetchrow_arrayref;
+  $row ? $row->[0] : '';
+}
+
 =back
 
 =head1 BUGS
diff --git a/FS/FS/cust_main.pm b/FS/FS/cust_main.pm
index 8956d5b26..511762e63 100644
--- a/FS/FS/cust_main.pm
+++ b/FS/FS/cust_main.pm
@@ -944,10 +944,13 @@ sub replace {
     $old = qsearchs( 'cust_main', { 'custnum' => $self->custnum } );
   }
 
-  if ( $self->payby eq 'COMP' && $self->payby ne $old->payby
-       && $conf->config('users-allow_comp')                  ) {
-    return "You are not permitted to create complimentary accounts."
-      unless grep { $_ eq getotaker } $conf->config('users-allow_comp');
+  my $curuser = $FS::CurrentUser::CurrentUser;
+  if (    $self->payby eq 'COMP'
+       && $self->payby ne $old->payby
+       && ! $curuser->access_right('Complimentary customer')
+     )
+  {
+    return "You are not permitted to create complimentary accounts.";
   }
 
   local($ignore_expired_card) = 1
@@ -1302,9 +1305,12 @@ sub check {
 
   } elsif ( $self->payby eq 'COMP' ) {
 
-    if ( !$self->custnum && $conf->config('users-allow_comp') ) {
+    my $curuser = $FS::CurrentUser::CurrentUser;
+    if (    ! $self->custnum
+         && ! $curuser->access_right('Complimentary customer')
+       )
+    {
       return "You are not permitted to create complimentary accounts."
-        unless grep { $_ eq getotaker } $conf->config('users-allow_comp');
     }
 
     $error = $self->ut_textn('payinfo');