Add access right to view attachments

2 files changed, 5 insertions, 3 deletions

diff --git a/httemplate/view/cust_main.cgi b/httemplate/view/cust_main.cgi
index 314207bb0..6e024132b 100755
--- a/httemplate/view/cust_main.cgi
+++ b/httemplate/view/cust_main.cgi
@@ -153,16 +153,18 @@ Comments
           )
 %>
 % }
+% if( $curuser->access_right('View attachments') ) {
 <% include('cust_main/attachments.html', 'custnum' => $cust_main->custnum ) %>
-% if($cgi->param('show_deleted')) {
+%   if ($cgi->param('show_deleted')) {
 <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum .
            ($view ? ";show=$view" : '') . '#notes' 
            %>"><I>(Show active attachments)</I></A>
-% }
+%   }
 % elsif($curuser->access_right('View deleted attachments')) {
 <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum .
            ($view ? ";show=$view" : '') . ';show_deleted=1#notes'
            %>"><I>(Show deleted attachments)</I></A>
+%   }
 % }
 <BR>
 
diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html
index dbb29a7c0..b16a81eae 100755
--- a/httemplate/view/cust_main/attachments.html
+++ b/httemplate/view/cust_main/attachments.html
@@ -109,7 +109,7 @@
 
 my $conf = new FS::Conf;
 my $curuser = $FS::CurrentUser::CurrentUser;
-
+die "access denied" if !$curuser->access_right('View attachments');
 my(%opt) = @_;
 
 my $custnum = $opt{'custnum'};