1 files changed, 30 insertions, 15 deletions

diff --git a/httemplate/misc/process/cancel_pkg.html b/httemplate/misc/process/cancel_pkg.html
index 50b111093..1a8d23b6f 100755
--- a/httemplate/misc/process/cancel_pkg.html
+++ b/httemplate/misc/process/cancel_pkg.html
@@ -1,24 +1,50 @@
+<% header("Package $past{$method}") %>
+  <SCRIPT TYPE="text/javascript">
+    window.top.location.reload();
+  </SCRIPT>
+  </BODY>
+</HTML>
+<%once>
+
+my %past = ( 'cancel'  => 'cancelled',
+             'expire'  => 'expired',
+             'suspend' => 'suspended',
+             'adjourn' => 'adjourned',
+           );
+
+#i'm sure this is false laziness with somewhere, at least w/misc/cancel_pkg.html
+my %right = ( 'cancel'  => 'Cancel customer package immediately',
+              'expire'  => 'Cancel customer package later',
+              'suspend' => 'Suspend customer package',
+              'adjourn' => 'Suspend customer package later',
+            );
+
+</%once>
 <%init>
+
 #untaint method
 my $method = $cgi->param('method');
-$method =~ /^(cancel|expire|suspend|adjourn)$/ || die "Illegal method";
+$method =~ /^(cancel|expire|suspend|adjourn)$/ or die "Illegal method";
 $method = $1;
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right($right{$method});
+
 #untaint pkgnum
 my $pkgnum = $cgi->param('pkgnum');
-$pkgnum =~ /^(\d+)$/ || die "Illegal pkgnum";
+$pkgnum =~ /^(\d+)$/ or die "Illegal pkgnum";
 $pkgnum = $1;
 
 #untaint reasonnum
 my $reasonnum = $cgi->param('reasonnum');
-$reasonnum =~ /^(-?\d+)$/ || die "Illegal reasonnum";
+$reasonnum =~ /^(-?\d+)$/ or die "Illegal reasonnum";
 $reasonnum = $1;
 
 my $date = time;
 if ($method eq 'expire' || $method eq 'adjourn'){
   #untaint date
   $date = $cgi->param('date');
-  str2time($cgi->param('date')) =~ /^(\d+)$/ || die "Illegal date";
+  str2time($cgi->param('date')) =~ /^(\d+)$/ or die "Illegal date";
   $date = $1;
 }
 
@@ -65,15 +91,4 @@ if ($error) {
 
 $dbh->commit or die $dbh->errstr if $oldAutoCommit;
 
- my %past = ( 'cancel'  => 'cancelled',
-              'expire'  => 'expired',
-              'suspend' => 'suspended',
-              'adjourn' => 'adjourned',
-            );
 </%init>
-<% header("Package $past{$method}") %>
-  <SCRIPT TYPE="text/javascript">
-    window.top.location.reload();
-  </SCRIPT>
-  </BODY></HTML>
-