C is for Cookie^WControl

author: ivan <ivan> 2007-02-05 12:51:05 +0000
committer: ivan <ivan> 2007-02-05 12:51:05 +0000
commit: 17856ff5c299e4db21da28116f2666655c03f2c7 (patch)
tree: 0311558e18ed2b79765658a334d656330207c33b /httemplate/view/cust_bill-ps.cgi
parent: 8b3782a95dcbc9fe5311b0522416791055a32f4d (diff)
1 files changed, 23 insertions, 13 deletions
diff --git a/httemplate/view/cust_bill-ps.cgi b/httemplate/view/cust_bill-ps.cgi
index f838e1b17..5313dbf02 100755
--- a/httemplate/view/cust_bill-ps.cgi
+++ b/httemplate/view/cust_bill-ps.cgi
@@ -1,14 +1,24 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $templatename = $2;
-%my $invnum = $3;
-%
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Invoice #$invnum not found!" unless $cust_bill;
-%
-%http_header('Content-Type' => 'application/postscript' );
-%
 <% $cust_bill->print_ps( '', $templatename) %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('View invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $templatename = $2;
+my $invnum = $3;
+
+my $cust_bill = qsearchs({
+  'select'    => 'cust_bill.*',
+  'table'     => 'cust_bill',
+  'addl_from' => 'LEFT JOIN cust_main USING ( custnum )',
+  'hashref'   => { 'invnum' => $invnum },
+  'extra_sql' => ' AND '. $FS::CurrentUser::CurrentUser->agentnums_sql,
+});
+die "Invoice #$invnum not found!" unless $cust_bill;
+
+http_header('Content-Type' => 'application/postscript' );
+
+</%init>
author	ivan <ivan>	2007-02-05 12:51:05 +0000
committer	ivan <ivan>	2007-02-05 12:51:05 +0000
commit	17856ff5c299e4db21da28116f2666655c03f2c7 (patch)
tree	0311558e18ed2b79765658a334d656330207c33b /httemplate/view/cust_bill-ps.cgi
parent	8b3782a95dcbc9fe5311b0522416791055a32f4d (diff)