From f099e0dfa8f438a84d8f1bce36f5e5bda60481e5 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Wed, 3 Nov 2010 23:44:48 +0000
Subject: more granular ACLs for posting check vs. cash payments, processing
 credit card vs echecks, RT#7887

---
 httemplate/edit/process/cust_refund.cgi | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'httemplate/edit/process/cust_refund.cgi')

diff --git a/httemplate/edit/process/cust_refund.cgi b/httemplate/edit/process/cust_refund.cgi
index 5749e5346..389bc990c 100755
--- a/httemplate/edit/process/cust_refund.cgi
+++ b/httemplate/edit/process/cust_refund.cgi
@@ -28,8 +28,21 @@ my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
 
 my $link    = $cgi->param('popup') ? 'popup' : '';
 
+my $payby = $cgi->param('payby');
+
+my @rights = ();
+push @rights, 'Post refund'                if $payby /^(BILL|CASH)$/;
+push @rights, 'Post check refund'          if $payby eq 'BILL';
+push @rights, 'Post cash refund '          if $payby eq 'CASH';
+push @rights, 'Refund payment'             if $payby /^(CARD|CHEK)$/;
+push @rights, 'Refund credit card payment' if $payby eq 'CARD';
+push @rights, 'Refund Echeck payment'      if $payby eq 'CHEK';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
 my $error = '';
-if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
+if ( $payby =~ /^(CARD|CHEK)$/ ) { 
   my %options = ();
   my $bop = $FS::payby::payby2bop{$1};
   $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
-- 
cgit v1.2.1