From 9e9ec0df33198dee12cfe7dc6c84cd899834efc7 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Thu, 17 Jan 2008 04:23:21 +0000
Subject: fix ACLs to allow the limited "package editing" of customizing
 customer packages

---
 httemplate/edit/process/part_pkg.cgi | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'httemplate/edit/process/part_pkg.cgi')

diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi
index e3ba1b576..456a7bcd0 100755
--- a/httemplate/edit/process/part_pkg.cgi
+++ b/httemplate/edit/process/part_pkg.cgi
@@ -11,9 +11,6 @@
 %}
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
-
 my $dbh = dbh;
 my $conf = new FS::Conf;
 
@@ -69,6 +66,8 @@ my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
               map { $_->svcpart }
               qsearch('part_svc', {} );
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
 my $custnum = '';
 if ( $error ) {
 
@@ -80,12 +79,19 @@ if ( $error ) {
 
 } elsif ( $pkgpart ) {
 
+   die "access denied"
+     unless $curuser->access_right('Configuration')
+
   $error = $new->replace( $old,
                           pkg_svc     => \%pkg_svc,
                           primary_svc => scalar($cgi->param('pkg_svc_primary')),
                         );
 } else {
 
+  die "access denied"
+    unless $curuser->access_right('Configuration')
+        || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
   $error = $new->insert(  pkg_svc     => \%pkg_svc,
                           primary_svc => scalar($cgi->param('pkg_svc_primary')),
                           cust_pkg    => $cgi->param('pkgnum'),
-- 
cgit v1.2.1