more granular ACLs for posting check vs. cash payments, processing credit card vs echecks, RT#7887

author: ivan <ivan> 2010-11-03 23:44:48 +0000
committer: ivan <ivan> 2010-11-03 23:44:48 +0000
commit: f099e0dfa8f438a84d8f1bce36f5e5bda60481e5 (patch)
tree: 613b8d984b33b9bc5b6b5158416d17d076180545 /httemplate
parent: 07277333b88457475d13e9bdfc24eaf83fc4ec49 (diff)
7 files changed, 54 insertions, 22 deletions
diff --git a/httemplate/edit/cust_pay.cgi b/httemplate/edit/cust_pay.cgi
index 7c4e6620e..8e1c779dd 100755
--- a/httemplate/edit/cust_pay.cgi
+++ b/httemplate/edit/cust_pay.cgi
@@ -109,9 +109,6 @@ my $conf = new FS::Conf;
 my $money_char  = $conf->config('money_char')  || '$';
 my $date_format = $conf->config('date_format') || '%m/%d/%Y';
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Post payment');
-
 my($link, $linknum, $paid, $payby, $payinfo, $_date);
 if ( $cgi->param('error') ) {
   $link     = $cgi->param('link');
@@ -138,6 +135,13 @@ if ( $cgi->param('error') ) {
   die "illegal query ". $cgi->keywords;
 }
 
+my @rights = ('Post payment');
+push @rights, 'Post check payment' if $payby eq 'BILL';
+push @rights, 'Post cash payment'  if $payby eq 'CASH';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
 my $paybatch = "webui-$_date-$$-". rand() * 2**32;
 
 my $title = 'Post '. FS::payby->payname($payby). ' payment';
diff --git a/httemplate/edit/cust_refund.cgi b/httemplate/edit/cust_refund.cgi
index 59417b4c4..612e337f7 100755
--- a/httemplate/edit/cust_refund.cgi
+++ b/httemplate/edit/cust_refund.cgi
@@ -130,9 +130,6 @@
 
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Refund payment');
-
 my $conf = new FS::Conf;
 my $date_format = $conf->config('date_format') || '%m/%d/%Y';
 
@@ -143,6 +140,17 @@ my $payinfo = $cgi->param('payinfo');
 my $reason  = $cgi->param('reason');
 my $link    = $cgi->param('popup') ? 'popup' : '';
 
+my @rights = ();
+push @rights, 'Post refund'                if $payby /^(BILL|CASH)$/;
+push @rights, 'Post check refund'          if $payby eq 'BILL';
+push @rights, 'Post cash refund '          if $payby eq 'CASH';
+push @rights, 'Refund payment'             if $payby /^(CARD|CHEK)$/;
+push @rights, 'Refund credit card payment' if $payby eq 'CARD';
+push @rights, 'Refund Echeck payment'      if $payby eq 'CHEK';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
 my( $paynum, $cust_pay ) = ( '', '' );
 if ( $cgi->param('paynum') =~ /^(\d+)$/ ) {
   $paynum = $1;
diff --git a/httemplate/edit/process/cust_pay.cgi b/httemplate/edit/process/cust_pay.cgi
index c8b0aa7df..0cd408958 100755
--- a/httemplate/edit/process/cust_pay.cgi
+++ b/httemplate/edit/process/cust_pay.cgi
@@ -27,9 +27,6 @@
 %}
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Post payment');
-
 $cgi->param('linknum') =~ /^(\d+)$/
   or die "Illegal linknum: ". $cgi->param('linknum');
 my $linknum = $1;
@@ -52,6 +49,13 @@ my $new = new FS::cust_pay ( {
   #} fields('cust_pay')
 } );
 
+my @rights = ('Post payment');
+push @rights, 'Post check payment' if $cust_pay->payby eq 'BILL';
+push @rights, 'Post cash payment'  if $cust_pay->payby eq 'CASH';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
 my $error = $new->insert( 'manual' => 1 );
 
 </%init>
diff --git a/httemplate/edit/process/cust_refund.cgi b/httemplate/edit/process/cust_refund.cgi
index 5749e5346..389bc990c 100755
--- a/httemplate/edit/process/cust_refund.cgi
+++ b/httemplate/edit/process/cust_refund.cgi
@@ -28,8 +28,21 @@ my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
 
 my $link    = $cgi->param('popup') ? 'popup' : '';
 
+my $payby = $cgi->param('payby');
+
+my @rights = ();
+push @rights, 'Post refund'                if $payby /^(BILL|CASH)$/;
+push @rights, 'Post check refund'          if $payby eq 'BILL';
+push @rights, 'Post cash refund '          if $payby eq 'CASH';
+push @rights, 'Refund payment'             if $payby /^(CARD|CHEK)$/;
+push @rights, 'Refund credit card payment' if $payby eq 'CARD';
+push @rights, 'Refund Echeck payment'      if $payby eq 'CHEK';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
 my $error = '';
-if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
+if ( $payby =~ /^(CARD|CHEK)$/ ) { 
   my %options = ();
   my $bop = $FS::payby::payby2bop{$1};
   $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
diff --git a/httemplate/view/cust_bill.cgi b/httemplate/view/cust_bill.cgi
index f1618fa4b..0928d04bc 100755
--- a/httemplate/view/cust_bill.cgi
+++ b/httemplate/view/cust_bill.cgi
@@ -26,7 +26,7 @@
 
 % if ( $cust_bill->owed > 0
 %      && scalar( grep $payby{$_}, qw(BILL CASH WEST MCRD) )
-%      && $curuser->access_right('Post payment')
+%      && $curuser->access_right(['Post payment', 'Post check payment', 'Post cash payment'])
 %      && ! $conf->exists('pkg-balances')
 %    )
 % {
@@ -34,22 +34,22 @@
 
       Post 
 
-%     if ( $payby{'BILL'} ) { 
+%     if ( $payby{'BILL'} && $curuser->access_right(['Post payment', 'Post check payment']) ) { 
           <% $s++ ? ' | ' : '' %>
           <A HREF="<% $p %>edit/cust_pay.cgi?payby=BILL;invnum=<% $invnum %>">check</A>
 %     } 
 
-%     if ( $payby{'CASH'} ) { 
+%     if ( $payby{'CASH'} && $curuser->access_right(['Post payment', 'Post cash payment']) ) { 
           <% $s++ ? ' | ' : '' %>
           <A HREF="<% $p %>edit/cust_pay.cgi?payby=CASH;invnum=<% $invnum %>">cash</A>
 %     } 
 
-%     if ( $payby{'WEST'} ) { 
+%     if ( $payby{'WEST'} && $curuser->access_right(['Post payment']) ) { 
           <% $s++ ? ' | ' : '' %>
           <A HREF="<% $p %>edit/cust_pay.cgi?payby=WEST;invnum=<% $invnum %>">Western Union</A>
 %     } 
 
-%     if ( $payby{'MCRD'} ) { 
+%     if ( $payby{'MCRD'} && $curuser->access_right(['Post payment']) ) { 
           <% $s++ ? ' | ' : '' %>
           <A HREF="<% $p %>edit/cust_pay.cgi?payby=MCRD;invnum=<% $invnum %>">manual credit card</A>
 %     } 
diff --git a/httemplate/view/cust_main/payment_history.html b/httemplate/view/cust_main/payment_history.html
index b84883a2f..111810e4f 100644
--- a/httemplate/view/cust_main/payment_history.html
+++ b/httemplate/view/cust_main/payment_history.html
@@ -1,7 +1,7 @@
 %# payment links
 
 % my $s = 0;
-% if ( $payby{'BILL'} && $curuser->access_right('Post payment') ) { 
+% if ( $payby{'BILL'} && $curuser->access_right(['Post payment', 'Post check payment' ]) ) { 
   <% $s++ ? ' | ' : '' %>
   <% include('/elements/popup_link-cust_main.html',
                'label'       => 'Enter check payment',
@@ -14,7 +14,7 @@
   %>
 % } 
 
-% if ( $payby{'CASH'} && $curuser->access_right('Post payment') ) { 
+% if ( $payby{'CASH'} && $curuser->access_right(['Post payment', 'Post cash payment']) ) { 
   <% $s++ ? ' | ' : '' %>
   <% include('/elements/popup_link-cust_main.html',
                'label'       => 'Enter cash payment',
@@ -33,7 +33,7 @@
 % } 
 
 % if ( ( $payby{'CARD'} || $payby{'DCRD'} )
-%        && $curuser->access_right('Process payment')
+%        && $curuser->access_right(['Process payment', 'Process credit card payment'])
 %        && ! $cust_main->is_encrypted($cust_main->payinfo)
 %      ) {
   <% $s++ ? ' | ' : '' %>
@@ -41,7 +41,7 @@
 % } 
 
 % if ( ( $payby{'CHEK'} || $payby{'DCHK'} )
-%        && $curuser->access_right('Process payment')
+%        && $curuser->access_right(['Process payment', 'Process Echeck payment'])
 %        && ! $cust_main->is_encrypted($cust_main->payinfo)
 %      ) {
   <% $s++ ? ' | ' : '' %>
@@ -73,7 +73,7 @@
 %# refund links
 
 % $s = 0;
-% if ( $payby{'BILL'} && $curuser->access_right('Post refund') ) { 
+% if ( $payby{'BILL'} && $curuser->access_right(['Post refund', 'Post check refund']) ) { 
   <% $s++ ? ' | ' : '' %>
   <% include('/elements/popup_link-cust_main.html',
                'label'       => 'Enter check refund',
@@ -86,7 +86,7 @@
   %>
 % } 
 
-% if ( $payby{'CASH'} && $curuser->access_right('Post refund') ) { 
+% if ( $payby{'CASH'} && $curuser->access_right(['Post refund', 'Post cash refund']) ) { 
   <% $s++ ? ' | ' : '' %>
   <% include('/elements/popup_link-cust_main.html',
                'label'       => 'Enter cash refund',
diff --git a/httemplate/view/cust_main/payment_history/payment.html b/httemplate/view/cust_main/payment_history/payment.html
index 6ec9fdb96..e745864b7 100644
--- a/httemplate/view/cust_main/payment_history/payment.html
+++ b/httemplate/view/cust_main/payment_history/payment.html
@@ -155,11 +155,14 @@ my $view =
 
 my $refund = '';
 my $refund_days = $opt{'card_refund-days'} || 120;
+my @rights = ('Refund payment');
+push @rights, 'Refund credit card payment' if $payby eq 'CARD';
+push @rights, 'Refund Echeck payment' if $payby eq 'CHEK';
 if (    $cust_pay->closed !~ /^Y/i
      && $cust_pay->payby =~ /^(CARD|CHEK)$/
      && time-$cust_pay->_date < $refund_days*86400
      && $cust_pay->unrefunded > 0
-     && $curuser->access_right('Refund payment')
+     && $curuser->access_right(\@rights)
 ) {
   $refund = qq! (<A HREF="${p}edit/cust_refund.cgi?payby=$1;!.
             qq!paynum=!. $cust_pay->paynum. '"'.
author	ivan <ivan>	2010-11-03 23:44:48 +0000
committer	ivan <ivan>	2010-11-03 23:44:48 +0000
commit	f099e0dfa8f438a84d8f1bce36f5e5bda60481e5 (patch)
tree	613b8d984b33b9bc5b6b5158416d17d076180545 /httemplate
parent	07277333b88457475d13e9bdfc24eaf83fc4ec49 (diff)