diff options
| -rwxr-xr-x | httemplate/edit/part_pkg.cgi | 10 | ||||
| -rwxr-xr-x | httemplate/edit/process/part_pkg.cgi | 12 |
2 files changed, 16 insertions, 6 deletions
diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi index 961b95f47..49f691bfd 100755 --- a/httemplate/edit/part_pkg.cgi +++ b/httemplate/edit/part_pkg.cgi @@ -240,6 +240,7 @@ Line-item revenue recognition % delete $freq{$_} foreach grep { ! /^\d+$/ } keys %freq; %} % +%#this should be replaced by /elements/selectlayers.html %my $widget = new HTML::Widgets::SelectLayers( % 'selected_layer' => $part_pkg->plan, % 'options' => \%options, @@ -360,9 +361,6 @@ Line-item revenue recognition <% include('/elements/footer.html') %> <%init> -die "access denied" - unless $FS::CurrentUser::CurrentUser->access_right('Configuration'); - if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) { $cgi->param('clone', $1); } else { @@ -374,6 +372,12 @@ if ( $cgi->param('pkgnum') && $cgi->param('pkgnum') =~ /^(\d+)$/ ) { $cgi->param('pkgnum', ''); } +my $curuser = $FS::CurrentUser::CurrentUser; + +die "access denied" + unless $curuser->access_right('Configuration') + || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') ); + my ($query) = $cgi->keywords; my $conf = new FS::Conf; diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi index e3ba1b576..456a7bcd0 100755 --- a/httemplate/edit/process/part_pkg.cgi +++ b/httemplate/edit/process/part_pkg.cgi @@ -11,9 +11,6 @@ %} <%init> -die "access denied" - unless $FS::CurrentUser::CurrentUser->access_right('Configuration'); - my $dbh = dbh; my $conf = new FS::Conf; @@ -69,6 +66,8 @@ my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) } map { $_->svcpart } qsearch('part_svc', {} ); +my $curuser = $FS::CurrentUser::CurrentUser; + my $custnum = ''; if ( $error ) { @@ -80,12 +79,19 @@ if ( $error ) { } elsif ( $pkgpart ) { + die "access denied" + unless $curuser->access_right('Configuration') + $error = $new->replace( $old, pkg_svc => \%pkg_svc, primary_svc => scalar($cgi->param('pkg_svc_primary')), ); } else { + die "access denied" + unless $curuser->access_right('Configuration') + || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') ); + $error = $new->insert( pkg_svc => \%pkg_svc, primary_svc => scalar($cgi->param('pkg_svc_primary')), cust_pkg => $cgi->param('pkgnum'), |