From 9e9ec0df33198dee12cfe7dc6c84cd899834efc7 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Thu, 17 Jan 2008 04:23:21 +0000
Subject: fix ACLs to allow the limited "package editing" of customizing
 customer packages

---
 httemplate/edit/part_pkg.cgi | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'httemplate/edit/part_pkg.cgi')

diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi
index 961b95f47..49f691bfd 100755
--- a/httemplate/edit/part_pkg.cgi
+++ b/httemplate/edit/part_pkg.cgi
@@ -240,6 +240,7 @@ Line-item revenue recognition
 %  delete $freq{$_} foreach grep { ! /^\d+$/ } keys %freq;
 %}
 %
+%#this should be replaced by /elements/selectlayers.html
 %my $widget = new HTML::Widgets::SelectLayers(
 %  'selected_layer' => $part_pkg->plan,
 %  'options'        => \%options,
@@ -360,9 +361,6 @@ Line-item revenue recognition
 <% include('/elements/footer.html') %>
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
-
 if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
   $cgi->param('clone', $1);
 } else {
@@ -374,6 +372,12 @@ if ( $cgi->param('pkgnum') && $cgi->param('pkgnum') =~ /^(\d+)$/ ) {
   $cgi->param('pkgnum', '');
 }
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+die "access denied"
+  unless $curuser->access_right('Configuration')
+      || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
 my ($query) = $cgi->keywords;
 
 my $conf = new FS::Conf; 
-- 
cgit v1.2.1