diff options
Diffstat (limited to 'httemplate')
| -rwxr-xr-x | httemplate/browse/cust_attachment.html | 1 | ||||
| -rwxr-xr-x | httemplate/edit/cust_main_attach.cgi | 1 | ||||
| -rw-r--r-- | httemplate/elements/menu.html | 2 | ||||
| -rwxr-xr-x | httemplate/view/cust_main.cgi | 6 | ||||
| -rwxr-xr-x | httemplate/view/cust_main/attachments.html | 2 |
5 files changed, 8 insertions, 4 deletions
diff --git a/httemplate/browse/cust_attachment.html b/httemplate/browse/cust_attachment.html index 0fdc745a2..d95f2b18c 100755 --- a/httemplate/browse/cust_attachment.html +++ b/httemplate/browse/cust_attachment.html @@ -62,6 +62,7 @@ <%init> my $curuser = $FS::CurrentUser::CurrentUser; +die "access denied" if !$curuser->access-right('View attachments'); my $conf = new FS::Conf; diff --git a/httemplate/edit/cust_main_attach.cgi b/httemplate/edit/cust_main_attach.cgi index 5e9b16c99..a00731050 100755 --- a/httemplate/edit/cust_main_attach.cgi +++ b/httemplate/edit/cust_main_attach.cgi @@ -44,6 +44,7 @@ onclick="return(confirm('Delete this file?'));"> <%init> my $curuser = $FS::CurrentUser::CurrentUser; +die "access denied" if !$curuser->access_right('View attachments'); my $attachnum = ''; my $attach; if ( $cgi->param('error') ) { diff --git a/httemplate/elements/menu.html b/httemplate/elements/menu.html index b039e78e8..caf227409 100644 --- a/httemplate/elements/menu.html +++ b/httemplate/elements/menu.html @@ -323,7 +323,7 @@ $tools_menu{'Ticketing'} = [ \%tools_ticketing, 'Ticketing tools' ] $tools_menu{'Time Queue'} = [ $fsurl.'search/report_timeworked.html', 'View pending support time' ] if $curuser->access_right('Time queue'); $tools_menu{'Attachments'} = [ $fsurl.'browse/cust_attachment.html', 'View customer attachments' ] - if !$conf->config('disable_cust_attachment'); + if !$conf->config('disable_cust_attachment') and $curuser->access_right('View attachments'); $tools_menu{'Importing'} = [ \%tools_importing, 'Import tools' ] if $curuser->access_right('Import'); $tools_menu{'Exporting'} = [ \%tools_exporting, 'Export tools' ] diff --git a/httemplate/view/cust_main.cgi b/httemplate/view/cust_main.cgi index 08d99d8e8..76f5a517e 100755 --- a/httemplate/view/cust_main.cgi +++ b/httemplate/view/cust_main.cgi @@ -153,16 +153,18 @@ Comments ) %> % } +% if( $curuser->access_right('View attachments') ) { <% include('cust_main/attachments.html', 'custnum' => $cust_main->custnum ) %> -% if($cgi->param('show_deleted')) { +% if ($cgi->param('show_deleted')) { <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum . ($view ? ";show=$view" : '') . '#notes' %>"><I>(Show active attachments)</I></A> -% } +% } % elsif($curuser->access_right('View deleted attachments')) { <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum . ($view ? ";show=$view" : '') . ';show_deleted=1#notes' %>"><I>(Show deleted attachments)</I></A> +% } % } <BR> diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html index dbb29a7c0..b16a81eae 100755 --- a/httemplate/view/cust_main/attachments.html +++ b/httemplate/view/cust_main/attachments.html @@ -109,7 +109,7 @@ my $conf = new FS::Conf; my $curuser = $FS::CurrentUser::CurrentUser; - +die "access denied" if !$curuser->access_right('View attachments'); my(%opt) = @_; my $custnum = $opt{'custnum'}; |