From 0930d22ffc440f80c1b222b2e750cadbabd9e8f6 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Sun, 13 Jan 2008 21:35:54 +0000
Subject: ACLs

---
 httemplate/edit/process/REAL_cust_pkg.cgi          |  57 +++---
 httemplate/edit/process/access_user.html           |   6 +
 httemplate/edit/process/agent.cgi                  |  49 +++---
 httemplate/edit/process/agent_payment_gateway.html |  53 +++---
 httemplate/edit/process/agent_type.cgi             |  62 ++++---
 httemplate/edit/process/bulk-cust_svc.cgi          |  11 +-
 httemplate/edit/process/cust_bill_pay.cgi          |  84 +++++----
 httemplate/edit/process/cust_credit.cgi            |  73 ++++----
 httemplate/edit/process/cust_credit_bill.cgi       |  86 +++++----
 httemplate/edit/process/cust_main.cgi              |   3 +
 .../edit/process/cust_main_county-collapse.cgi     |   8 +
 .../edit/process/cust_main_county-expand.cgi       |   3 +
 httemplate/edit/process/cust_main_county.html      |   7 +
 httemplate/edit/process/cust_main_note.cgi         |  84 +++++----
 httemplate/edit/process/cust_pay.cgi               |  61 ++++---
 httemplate/edit/process/cust_pkg.cgi               |  15 +-
 httemplate/edit/process/cust_refund.cgi            |  73 ++++----
 httemplate/edit/process/cust_svc.cgi               |  50 +++---
 httemplate/edit/process/domain_record.cgi          |  54 +++---
 httemplate/edit/process/generic.cgi                | 140 ++++++++-------
 httemplate/edit/process/inventory_class.html       |   6 +
 httemplate/edit/process/msgcat.cgi                 |  33 ++--
 httemplate/edit/process/part_bill_event.cgi        | 173 +++++++++---------
 httemplate/edit/process/part_export.cgi            |  71 ++++----
 httemplate/edit/process/part_pkg.cgi               | 196 +++++++++++----------
 httemplate/edit/process/part_referral.html         |   7 +
 httemplate/edit/process/part_svc.cgi               |  11 +-
 httemplate/edit/process/payment_gateway.html       |  59 ++++---
 httemplate/edit/process/pkg_class.html             |   6 +
 httemplate/edit/process/prepay_credit.cgi          |   8 +-
 httemplate/edit/process/quick-charge.cgi           |  83 ++++-----
 httemplate/edit/process/quick-cust_pkg.cgi         |  30 ++--
 httemplate/edit/process/rate.cgi                   |  11 +-
 httemplate/edit/process/reason.html                |   6 +
 httemplate/edit/process/reason_type.html           |   6 +
 httemplate/edit/process/reg_code.cgi               |  64 ++++---
 httemplate/edit/process/router.cgi                 |   8 +-
 httemplate/edit/process/svc_Common.html            |  15 +-
 httemplate/edit/process/svc_acct.cgi               | 117 ++++++------
 httemplate/edit/process/svc_acct_pop.cgi           |  49 +++---
 httemplate/edit/process/svc_broadband.cgi          |  63 +++----
 httemplate/edit/process/svc_domain.cgi             |  55 +++---
 httemplate/edit/process/svc_external.cgi           |  51 +++---
 httemplate/edit/process/svc_forward.cgi            |  51 +++---
 httemplate/edit/process/svc_phone.html             |   6 +
 httemplate/edit/process/svc_www.cgi                |  65 +++----
 46 files changed, 1183 insertions(+), 1046 deletions(-)

(limited to 'httemplate/edit/process')

diff --git a/httemplate/edit/process/REAL_cust_pkg.cgi b/httemplate/edit/process/REAL_cust_pkg.cgi
index ec951c86c..ebcb7e4ba 100755
--- a/httemplate/edit/process/REAL_cust_pkg.cgi
+++ b/httemplate/edit/process/REAL_cust_pkg.cgi
@@ -1,31 +1,36 @@
-%my $pkgnum = $cgi->param('pkgnum') or die;
-%my $old = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%my %hash = $old->hash;
-%$hash{'setup'} = $cgi->param('setup') ? str2time($cgi->param('setup')) : '';
-%$hash{'bill'} = $cgi->param('bill') ? str2time($cgi->param('bill')) : '';
-%$hash{'last_bill'} =
-%  $cgi->param('last_bill') ? str2time($cgi->param('last_bill')) : '';
-%$hash{'adjourn'} = $cgi->param('adjourn') ? str2time($cgi->param('adjourn')) : '';
-%$hash{'expire'} = $cgi->param('expire') ? str2time($cgi->param('expire')) : '';
-%
-%my $new;
-%my $error;
-%if ( $hash{'bill'} != $old->bill        # if the next bill date was changed
-%     && $hash{'bill'} < time            # to a date in the past
-%     && ! $cgi->param('bill_areyousure') # and it wasn't confirmed
-%   )
-%{
-%  $error = '_bill_areyousure';
-%} else {
-%  $new = new FS::cust_pkg \%hash;
-%  $error = $new->replace($old);
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "REAL_cust_pkg.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "REAL_cust_pkg.cgi?". $cgi->query_string ) %>
 %} else { 
 %  my $custnum = $new->custnum;
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum".
-%                       "#cust_pkg$pkgnum" );
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum#cust_pkg$pkgnum" ) %>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer package dates');
+
+my $pkgnum = $cgi->param('pkgnum') or die;
+my $old = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+my %hash = $old->hash;
+$hash{'setup'} = $cgi->param('setup') ? str2time($cgi->param('setup')) : '';
+$hash{'bill'} = $cgi->param('bill') ? str2time($cgi->param('bill')) : '';
+$hash{'last_bill'} =
+  $cgi->param('last_bill') ? str2time($cgi->param('last_bill')) : '';
+$hash{'adjourn'} = $cgi->param('adjourn') ? str2time($cgi->param('adjourn')) : '';
+$hash{'expire'} = $cgi->param('expire') ? str2time($cgi->param('expire')) : '';
+
+my $new;
+my $error;
+if ( $hash{'bill'} != $old->bill        # if the next bill date was changed
+     && $hash{'bill'} < time            # to a date in the past
+     && ! $cgi->param('bill_areyousure') # and it wasn't confirmed
+   )
+{
+  $error = '_bill_areyousure';
+} else {
+  $new = new FS::cust_pkg \%hash;
+  $error = $new->replace($old);
+}
+
+</%init>
diff --git a/httemplate/edit/process/access_user.html b/httemplate/edit/process/access_user.html
index 9f7c4ddbf..ca6bb603f 100644
--- a/httemplate/edit/process/access_user.html
+++ b/httemplate/edit/process/access_user.html
@@ -13,3 +13,9 @@
              )
 %>
 %   }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/agent.cgi b/httemplate/edit/process/agent.cgi
index 5128d7ae8..ad550cc37 100755
--- a/httemplate/edit/process/agent.cgi
+++ b/httemplate/edit/process/agent.cgi
@@ -1,29 +1,30 @@
-%
-%
-%my $agentnum = $cgi->param('agentnum');
-%
-%my $old = qsearchs('agent',{'agentnum'=>$agentnum}) if $agentnum;
-%
-%my $new = new FS::agent ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('agent')
-%} );
-%
-%my $error;
-%if ( $agentnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $agentnum=$new->getfield('agentnum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string ) %>
 %} else { 
-%  print $cgi->redirect(popurl(3). "browse/agent.cgi");
+<% $cgi->redirect(popurl(3). "browse/agent.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $agentnum = $cgi->param('agentnum');
+
+my $old = qsearchs('agent',{'agentnum'=>$agentnum}) if $agentnum;
+
+my $new = new FS::agent ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('agent')
+} );
+
+my $error;
+if ( $agentnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $agentnum=$new->getfield('agentnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/agent_payment_gateway.html b/httemplate/edit/process/agent_payment_gateway.html
index 436317ec4..5b5fd948a 100644
--- a/httemplate/edit/process/agent_payment_gateway.html
+++ b/httemplate/edit/process/agent_payment_gateway.html
@@ -1,26 +1,29 @@
-%
-%
-%$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
-%my $agent = qsearchs('agent', { 'agentnum' => $1 } );
-%die "agentnum $1 not found" unless $agent;
-%
-%#my $old
-%
-%my @new = map {
-%                my $cardtype = $_;
-%                new FS::agent_payment_gateway {
-%                  ( map { $_ => scalar($cgi->param($_)) }
-%                                    fields('agent_payment_gateway')
-%                  ),
-%                  'cardtype' => $cardtype,
-%                };
-%              }
-%              $cgi->param('cardtype');
-%
-%foreach my $new (@new) {
-%  my $error = $new->insert;
-%  die $error if $error;
-%}
-%
-%
 <% $cgi->redirect(popurl(3). "browse/agent.cgi") %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
+my $agent = qsearchs('agent', { 'agentnum' => $1 } );
+die "agentnum $1 not found" unless $agent;
+
+#my $old
+
+my @new = map {
+                my $cardtype = $_;
+                new FS::agent_payment_gateway {
+                  ( map { $_ => scalar($cgi->param($_)) }
+                                    fields('agent_payment_gateway')
+                  ),
+                  'cardtype' => $cardtype,
+                };
+              }
+              $cgi->param('cardtype');
+
+foreach my $new (@new) {
+  my $error = $new->insert;
+  die $error if $error;
+}
+
+</%init>
diff --git a/httemplate/edit/process/agent_type.cgi b/httemplate/edit/process/agent_type.cgi
index b8d03705c..898e0667d 100755
--- a/httemplate/edit/process/agent_type.cgi
+++ b/httemplate/edit/process/agent_type.cgi
@@ -1,37 +1,35 @@
-%
-%
-%my $typenum = $cgi->param('typenum');
-%my $old = qsearchs('agent_type',{'typenum'=>$typenum}) if $typenum;
-%
-%my $new = new FS::agent_type ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('agent_type')
-%} );
-%
-%my $error;
-%if ( $typenum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error    = $new->insert;
-%  $typenum  = $new->getfield('typenum');
-%}
-%#$error  ||= $new->process_m2m( );
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "agent_type.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "agent_type.cgi?". $cgi->query_string ) %>
 %} else {
-%
-%  my $error = $new->process_m2m(
-%    'link_table'   => 'type_pkgs',
-%    'target_table' => 'part_pkg',
-%    'params'       => scalar($cgi->Vars)
-%  );
-%  die $error if $error;
-%
-%  print $cgi->redirect(popurl(3). "browse/agent_type.cgi");
+<% $cgi->redirect(popurl(3). "browse/agent_type.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $typenum = $cgi->param('typenum');
+my $old = qsearchs('agent_type',{'typenum'=>$typenum}) if $typenum;
+
+my $new = new FS::agent_type ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('agent_type')
+} );
+
+my $error;
+if ( $typenum ) {
+  $error = $new->replace($old);
+} else {
+  $error    = $new->insert;
+  $typenum  = $new->getfield('typenum');
+}
+
+  $error ||= $new->process_m2m(
+    'link_table'   => 'type_pkgs',
+    'target_table' => 'part_pkg',
+    'params'       => scalar($cgi->Vars)
+  );
 
+<%/init>
diff --git a/httemplate/edit/process/bulk-cust_svc.cgi b/httemplate/edit/process/bulk-cust_svc.cgi
index ad4d67307..313b061ff 100644
--- a/httemplate/edit/process/bulk-cust_svc.cgi
+++ b/httemplate/edit/process/bulk-cust_svc.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process_bulk_cust_svc', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process_bulk_cust_svc', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/cust_bill_pay.cgi b/httemplate/edit/process/cust_bill_pay.cgi
index 962fc4eb9..43e672647 100755
--- a/httemplate/edit/process/cust_bill_pay.cgi
+++ b/httemplate/edit/process/cust_bill_pay.cgi
@@ -1,54 +1,50 @@
-%
-%
-%$cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } )
-%  or die "No such paynum";
-%
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_pay->custnum } )
-%  or die "Bogus credit:  not attached to customer";
-%
-%my $custnum = $cust_main->custnum;
-%
-%my $new;
-%if ($cgi->param('invnum') =~ /^Refund$/) {
-%  $new = new FS::cust_refund ( {
-%    'reason'  => 'Refunding payment', #enter reason in UI
-%    'refund'  => $cgi->param('amount'),
-%    'payby'   => 'BILL',
-%    #'_date'   => $cgi->param('_date'),
-%    'payinfo' => 'Cash', #enter payinfo in UI
-%    'paynum' => $paynum,
-%  } );
-%} else {
-%  $new = new FS::cust_bill_pay ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    #} qw(custnum _date amount invnum)
-%    } fields('cust_bill_pay')
-%  } );
-%}
-%
-%my $error = $new->insert;
-%
 %if ( $error ) {
-%
 %  $cgi->param('error', $error);
-%  
 <% $cgi->redirect(popurl(2). "cust_bill_pay.cgi?". $cgi->query_string ) %>
-%
-%
 %} else {
-%
-%  #print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
-%
-%  
 <% header('Payment application sucessful') %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
-
-  </BODY></HTML>
+  </BODY>
+  </HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply payment') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post payment'): #remove after 1.7.3
+
+$cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } )
+  or die "No such paynum";
+
+my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_pay->custnum } )
+  or die "Bogus credit:  not attached to customer";
+
+my $custnum = $cust_main->custnum;
+
+my $new;
+if ($cgi->param('invnum') =~ /^Refund$/) {
+  $new = new FS::cust_refund ( {
+    'reason'  => 'Refunding payment', #enter reason in UI
+    'refund'  => $cgi->param('amount'),
+    'payby'   => 'BILL',
+    #'_date'   => $cgi->param('_date'),
+    'payinfo' => 'Cash', #enter payinfo in UI
+    'paynum' => $paynum,
+  } );
+} else {
+  $new = new FS::cust_bill_pay ( {
+    map {
+      $_, scalar($cgi->param($_));
+    #} qw(custnum _date amount invnum)
+    } fields('cust_bill_pay')
+  } );
+}
+
+my $error = $new->insert;
 
+</%init>
diff --git a/httemplate/edit/process/cust_credit.cgi b/httemplate/edit/process/cust_credit.cgi
index 9dcad7f68..8715ad61e 100755
--- a/httemplate/edit/process/cust_credit.cgi
+++ b/httemplate/edit/process/cust_credit.cgi
@@ -1,46 +1,10 @@
-%
-%
-%$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
-%my $custnum = $1;
-%
-%$cgi->param('reasonnum') =~ /^(-?\d+)$/ or die "Illegal reasonnum";
-%my $reasonnum = $1;
-%
-%my $oldAutoCommit = $FS::UID::AutoCommit;
-%local $FS::UID::AutoCommit = 0;
-%my $dbh = dbh;
-%
-%my $error = '';
-%if ($reasonnum == -1) {
-%
-%  $error = 'Enter a new reason (or select an existing one)'
-%    unless $cgi->param('newreasonnum') !~ /^\s*$/;
-%  my $reason = new FS::reason({ 'reason_type' => $cgi->param('newreasonnumT'),
-%                                'reason'      => $cgi->param('newreasonnum'),
-%                              });
-%  $error ||= $reason->insert;
-%  $cgi->param('reasonnum', $reason->reasonnum)
-%    unless $error;
-%}
-%
-%unless ($error) {
-%  my $new = new FS::cust_credit ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    } fields('cust_credit')
-%  } );
-%  $error = $new->insert;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('reasonnum', $reasonnum);
 %  $cgi->param('error', $error);
 %  $dbh->rollback if $oldAutoCommit;
-%
 %  
 <% $cgi->redirect(popurl(2). "cust_credit.cgi?". $cgi->query_string ) %>
 %
-%
 %} else {
 %
 %  if ( $cgi->param('apply') eq 'yes' ) {
@@ -59,4 +23,41 @@
 
   </BODY></HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post credit');
+
+$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
+my $custnum = $1;
+
+$cgi->param('reasonnum') =~ /^(-?\d+)$/ or die "Illegal reasonnum";
+my $reasonnum = $1;
+
+my $oldAutoCommit = $FS::UID::AutoCommit;
+local $FS::UID::AutoCommit = 0;
+my $dbh = dbh;
+
+my $error = '';
+if ($reasonnum == -1) {
+
+  $error = 'Enter a new reason (or select an existing one)'
+    unless $cgi->param('newreasonnum') !~ /^\s*$/;
+  my $reason = new FS::reason({ 'reason_type' => $cgi->param('newreasonnumT'),
+                                'reason'      => $cgi->param('newreasonnum'),
+                              });
+  $error ||= $reason->insert;
+  $cgi->param('reasonnum', $reason->reasonnum)
+    unless $error;
+}
+
+unless ($error) {
+  my $new = new FS::cust_credit ( {
+    map {
+      $_, scalar($cgi->param($_));
+    } fields('cust_credit')
+  } );
+  $error = $new->insert;
+}
 
+</%init>
diff --git a/httemplate/edit/process/cust_credit_bill.cgi b/httemplate/edit/process/cust_credit_bill.cgi
index 7509a3f02..74ae00888 100755
--- a/httemplate/edit/process/cust_credit_bill.cgi
+++ b/httemplate/edit/process/cust_credit_bill.cgi
@@ -1,55 +1,51 @@
-%
-%
-%$cgi->param('crednum') =~ /^(\d*)$/ or die "Illegal crednum!";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } )
-%  or die "No such crednum";
-%
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_credit->custnum } )
-%  or die "Bogus credit:  not attached to customer";
-%
-%my $custnum = $cust_main->custnum;
-%
-%my $new;
-%if ($cgi->param('invnum') =~ /^Refund$/) {
-%  $new = new FS::cust_refund ( {
-%    'reason'  => ( $cust_credit->reason || 'refund from credit' ),
-%    'refund'  => $cgi->param('amount'),
-%    'payby'   => 'BILL',
-%    #'_date'   => $cgi->param('_date'),
-%    #'payinfo' => 'Cash',
-%    'payinfo' => 'Refund',
-%    'crednum' => $crednum,
-%  } );
-%} else {
-%  $new = new FS::cust_credit_bill ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    #} qw(custnum _date amount invnum)
-%    } fields('cust_credit_bill')
-%  } );
-%}
-%
-%my $error = $new->insert;
-%
 %if ( $error ) {
-%
 %  $cgi->param('error', $error);
-%  
 <% $cgi->redirect(popurl(2). "cust_credit_bill.cgi?". $cgi->query_string ) %>
-%
-%
 %} else {
-%
-%  #print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
-%
-%  
 <% header('Credit application sucessful') %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
-
-  </BODY></HTML>
+  </BODY>
+  </HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply credit') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post credit'): #remove after 1.7.3
+
+$cgi->param('crednum') =~ /^(\d*)$/ or die "Illegal crednum!";
+my $crednum = $1;
+
+my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } )
+  or die "No such crednum";
+
+my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_credit->custnum } )
+  or die "Bogus credit:  not attached to customer";
+
+my $custnum = $cust_main->custnum;
+
+my $new;
+if ($cgi->param('invnum') =~ /^Refund$/) {
+  $new = new FS::cust_refund ( {
+    'reason'  => ( $cust_credit->reason || 'refund from credit' ),
+    'refund'  => $cgi->param('amount'),
+    'payby'   => 'BILL',
+    #'_date'   => $cgi->param('_date'),
+    #'payinfo' => 'Cash',
+    'payinfo' => 'Refund',
+    'crednum' => $crednum,
+  } );
+} else {
+  $new = new FS::cust_credit_bill ( {
+    map {
+      $_, scalar($cgi->param($_));
+    #} qw(custnum _date amount invnum)
+    } fields('cust_credit_bill')
+  } );
+}
+
+my $error = $new->insert;
 
+</%init>
diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 8de2092f9..b0c9e3e57 100755
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -16,6 +16,9 @@ my $DEBUG = 0;
 </%once>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+
 my $error = '';
 
 #unmunge stuff
diff --git a/httemplate/edit/process/cust_main_county-collapse.cgi b/httemplate/edit/process/cust_main_county-collapse.cgi
index 4bcaf1de3..a917825ce 100755
--- a/httemplate/edit/process/cust_main_county-collapse.cgi
+++ b/httemplate/edit/process/cust_main_county-collapse.cgi
@@ -33,4 +33,12 @@
 %print $cgi->redirect(popurl(3). "browse/cust_main_county.cgi");
 %
 %
+<%init>
 
+#this isn't actually linked from anywhere just now, but it will be again soon
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+
+</%init>
diff --git a/httemplate/edit/process/cust_main_county-expand.cgi b/httemplate/edit/process/cust_main_county-expand.cgi
index 4e04f37fc..a8b4c2511 100755
--- a/httemplate/edit/process/cust_main_county-expand.cgi
+++ b/httemplate/edit/process/cust_main_county-expand.cgi
@@ -8,6 +8,9 @@
 </HTML>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
 $cgi->param('taxnum') =~ /^(\d+)$/ or die "Illegal taxnum!";
 my $taxnum = $1;
 my $cust_main_county = qsearchs('cust_main_county',{'taxnum'=>$taxnum})
diff --git a/httemplate/edit/process/cust_main_county.html b/httemplate/edit/process/cust_main_county.html
index 3d9d20b85..cb56166c8 100644
--- a/httemplate/edit/process/cust_main_county.html
+++ b/httemplate/edit/process/cust_main_county.html
@@ -4,3 +4,10 @@
               #someday change the individual element and go away instead
           )
 %>
+<%init>
+
+my $conf = new FS::Conf;
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/cust_main_note.cgi b/httemplate/edit/process/cust_main_note.cgi
index 8b9105bd8..9689ca6d6 100755
--- a/httemplate/edit/process/cust_main_note.cgi
+++ b/httemplate/edit/process/cust_main_note.cgi
@@ -1,42 +1,7 @@
-%
-%
-%$cgi->param('custnum') =~ /^(\d+)$/
-%  or die "Illegal custnum: ". $cgi->param('custnum');
-%my $custnum = $1;
-%
-%$cgi->param('notenum') =~ /^(\d*)$/
-%  or die "Illegal notenum: ". $cgi->param('notenum');
-%my $notenum = $1;
-%
-%my $otaker = $FS::CurrentUser::CurrentUser->name;
-%$otaker = $FS::CurrentUser::CurrentUser->username
-%  if ($otaker eq "User, Legacy");
-%
-%my $new = new FS::cust_main_note ( {
-%  notenum  => $notenum,
-%  custnum  => $custnum,
-%  _date    => time,
-%  otaker   => $otaker,
-%  comments =>  $cgi->param('comment'),
-%} );
-%
-%my $error;
-%if ($notenum){
-%  my $old  = qsearchs('cust_main_note', { 'notenum' => $notenum });
-%  $error = "No such note: $notenum" unless $old;
-%  unless($error){
-%    map { $new->$_($old->$_) } ('_date', 'otaker');
-%    $error = $new->replace($old);
-%  }
-%}else{
-%  $error = $new->insert;
-%}
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'cust_main_note.cgi?'. $cgi->query_string );
-%}
-%
+<% $cgi->redirect(popurl(2). 'cust_main_note.cgi?'. $cgi->query_string ) %>
+%} else {
 %    
 <% header('Note ' . ($notenum ? 'updated' : 'added') ) %>
     <SCRIPT TYPE="text/javascript">
@@ -48,5 +13,48 @@
     </SCRIPT>
     </BODY></HTML>
 %
-%
+% }
+<%init>
+
+$cgi->param('custnum') =~ /^(\d+)$/
+  or die "Illegal custnum: ". $cgi->param('custnum');
+my $custnum = $1;
+
+$cgi->param('notenum') =~ /^(\d*)$/
+  or die "Illegal notenum: ". $cgi->param('notenum');
+my $notenum = $1;
+
+my $otaker = $FS::CurrentUser::CurrentUser->name;
+$otaker = $FS::CurrentUser::CurrentUser->username
+  if ($otaker eq "User, Legacy");
+
+my $new = new FS::cust_main_note ( {
+  notenum  => $notenum,
+  custnum  => $custnum,
+  _date    => time,
+  otaker   => $otaker,
+  comments =>  $cgi->param('comment'),
+} );
+
+my $error;
+if ($notenum) {
+
+  die "access denied"
+    unless $FS::CurrentUser::CurrentUser->access_right('Edit customer note');
+
+  my $old  = qsearchs('cust_main_note', { 'notenum' => $notenum });
+  $error = "No such note: $notenum" unless $old;
+  unless ($error) {
+    map { $new->$_($old->$_) } ('_date', 'otaker');
+    $error = $new->replace($old);
+  }
+
+} else {
+
+  die "access denied"
+    unless $FS::CurrentUser::CurrentUser->access_right('Add customer note');
+
+  $error = $new->insert;
+}
 
+</%init>
diff --git a/httemplate/edit/process/cust_pay.cgi b/httemplate/edit/process/cust_pay.cgi
index a34c88aba..647f6fc6c 100755
--- a/httemplate/edit/process/cust_pay.cgi
+++ b/httemplate/edit/process/cust_pay.cgi
@@ -1,32 +1,8 @@
-%
-%
-%$cgi->param('linknum') =~ /^(\d+)$/
-%  or die "Illegal linknum: ". $cgi->param('linknum');
-%my $linknum = $1;
-%
-%$cgi->param('link') =~ /^(custnum|invnum|popup)$/
-%  or die "Illegal link: ". $cgi->param('link');
-%my $field = my $link = $1;
-%$field = 'custnum' if $field eq 'popup';
-%
-%my $_date = str2time($cgi->param('_date'));
-%
-%my $new = new FS::cust_pay ( {
-%  $field => $linknum,
-%  _date  => $_date,
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } qw(paid payby payinfo paybatch)
-%  #} fields('cust_pay')
-%} );
-%
-%my $error = $new->insert( 'manual' => 1 );
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'cust_pay.cgi?'. $cgi->query_string );
+<% $cgi->redirect(popurl(2). 'cust_pay.cgi?'. $cgi->query_string ) %>
 %} elsif ( $field eq 'invnum' ) {
-%  print $cgi->redirect(popurl(3). "view/cust_bill.cgi?$linknum");
+<% $cgi->redirect(popurl(3). "view/cust_bill.cgi?$linknum") %>
 %} elsif ( $field eq 'custnum' ) {
 %  if ( $cgi->param('apply') eq 'yes' ) {
 %    my $cust_main = qsearchs('cust_main', { 'custnum' => $linknum })
@@ -34,7 +10,6 @@
 %    $cust_main->apply_payments;
 %  }
 %  if ( $link eq 'popup' ) {
-%
 %    
 <% header('Payment entered') %>
     <SCRIPT TYPE="text/javascript">
@@ -43,14 +18,38 @@
 
     </BODY></HTML>
 %
-%
 %  } elsif ( $link eq 'custnum' ) {
-%    print $cgi->redirect(popurl(3). "view/cust_main.cgi?$linknum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$linknum") %>
 %  } else {
 %    die "unknown link $link";
 %  }
 %
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post payment');
+
+$cgi->param('linknum') =~ /^(\d+)$/
+  or die "Illegal linknum: ". $cgi->param('linknum');
+my $linknum = $1;
+
+$cgi->param('link') =~ /^(custnum|invnum|popup)$/
+  or die "Illegal link: ". $cgi->param('link');
+my $field = my $link = $1;
+$field = 'custnum' if $field eq 'popup';
+
+my $_date = str2time($cgi->param('_date'));
+
+my $new = new FS::cust_pay ( {
+  $field => $linknum,
+  _date  => $_date,
+  map {
+    $_, scalar($cgi->param($_));
+  } qw(paid payby payinfo paybatch)
+  #} fields('cust_pay')
+} );
+
+my $error = $new->insert( 'manual' => 1 );
 
+</%init>
diff --git a/httemplate/edit/process/cust_pkg.cgi b/httemplate/edit/process/cust_pkg.cgi
index 25b826758..bdade321f 100755
--- a/httemplate/edit/process/cust_pkg.cgi
+++ b/httemplate/edit/process/cust_pkg.cgi
@@ -11,7 +11,7 @@
     </HTML>
 
 % } elsif ( $action eq 'bulk' ) {
-%   $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 % } else {
 %   die "guru exception #5: action is neither change nor bulk!";
 % }
@@ -28,15 +28,27 @@ my @remove_pkgnums = map {
   $1;
 } $cgi->param('remove_pkg');
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
 my( $action, $error_redirect );
 my @pkgparts = ();
 if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
+
   $action = 'change';
   $error_redirect = "misc/change_pkg.cgi";
   @pkgparts = ($1);
+
+  die "access denied"
+    unless $curuser->access_right('Change customer package');
+
 } else { #came from edit/cust_pkg.cgi
+
   $action = 'bulk';
   $error_redirect = "edit/cust_pkg.cgi";
+
+  die "access denied"
+    unless $curuser->access_right('Bulk change customer packages');
+
   foreach my $pkgpart ( map /^pkg(\d+)$/ ? $1 : (), $cgi->param ) {
     if ( $cgi->param("pkg$pkgpart") =~ /^(\d+)$/ ) {
       my $num_pkgs = $1;
@@ -48,6 +60,7 @@ if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
       last;
     }
   }
+
 }
 
 $error ||= FS::cust_pkg::order($custnum,\@pkgparts,\@remove_pkgnums);
diff --git a/httemplate/edit/process/cust_refund.cgi b/httemplate/edit/process/cust_refund.cgi
index d95ab46dc..1a7a394b3 100755
--- a/httemplate/edit/process/cust_refund.cgi
+++ b/httemplate/edit/process/cust_refund.cgi
@@ -1,38 +1,43 @@
-%$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
-%my $custnum = $1;
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
-%  or die "unknown custnum $custnum";
-%
-%my $error = '';
-%if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
-%  my %options = ();
-%  my $bop = $FS::payby::payby2bop{$1};
-%  $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
-%    or die "illegal refund amount ". $cgi->param('refund');
-%  my $refund = "$1$2";
-%  $cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
-%  my $paynum = $1;
-%  my $reason = $cgi->param('reason');
-%  my $paydate = $cgi->param('exp_year'). '-'. $cgi->param('exp_month'). '-01';
-%  $options{'paydate'} = $paydate if $paydate =~ /^\d{2,4}-\d{1,2}-01$/;
-%  $error = $cust_main->realtime_refund_bop( $bop, 'amount' => $refund,
-%                                                  'paynum' => $paynum,
-%                                                  'reason' => $reason,
-%                                                  %options );
-%} else {
-%  die 'unimplemented';
-%  #my $new = new FS::cust_refund ( {
-%  #  map {
-%  #    $_, scalar($cgi->param($_));
-%  #  } ( fields('cust_refund'), 'paynum' )
-%  #} );
-%  #$error = $new->insert;
-%}
-%
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "cust_refund.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "cust_refund.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Refund payment');
+
+$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
+my $custnum = $1;
+my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
+  or die "unknown custnum $custnum";
+
+my $error = '';
+if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
+  my %options = ();
+  my $bop = $FS::payby::payby2bop{$1};
+  $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
+    or die "illegal refund amount ". $cgi->param('refund');
+  my $refund = "$1$2";
+  $cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
+  my $paynum = $1;
+  my $reason = $cgi->param('reason');
+  my $paydate = $cgi->param('exp_year'). '-'. $cgi->param('exp_month'). '-01';
+  $options{'paydate'} = $paydate if $paydate =~ /^\d{2,4}-\d{1,2}-01$/;
+  $error = $cust_main->realtime_refund_bop( $bop, 'amount' => $refund,
+                                                  'paynum' => $paynum,
+                                                  'reason' => $reason,
+                                                  %options );
+} else {
+  die 'unimplemented';
+  #my $new = new FS::cust_refund ( {
+  #  map {
+  #    $_, scalar($cgi->param($_));
+  #  } ( fields('cust_refund'), 'paynum' )
+  #} );
+  #$error = $new->insert;
+}
+
+</%init>
diff --git a/httemplate/edit/process/cust_svc.cgi b/httemplate/edit/process/cust_svc.cgi
index e9d5f6238..e22cbb201 100644
--- a/httemplate/edit/process/cust_svc.cgi
+++ b/httemplate/edit/process/cust_svc.cgi
@@ -1,30 +1,30 @@
-%
-%
-%my $svcnum = $cgi->param('svcnum');
-%
-%my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::cust_svc ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('cust_svc')
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $svcnum=$new->getfield('svcnum');
-%}
-%
 %if ( $error ) {
-%  #$cgi->param('error', $error);
-%  #print $cgi->redirect(popurl(2). "cust_svc.cgi?". $cgi->query_string );
 %  errorpage($error);
 %} else { 
 %  my $svcdb = $new->part_svc->svcdb;
-%  print $cgi->redirect(popurl(3). "view/$svcdb.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/$svcdb.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die 'access deined'
+ unless $FS::CurrentUser::CurrentUser->access_right('Change customer service');
+
+my $svcnum = $cgi->param('svcnum');
+
+my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::cust_svc ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('cust_svc')
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $svcnum=$new->getfield('svcnum');
+}
+
+</%init>
diff --git a/httemplate/edit/process/domain_record.cgi b/httemplate/edit/process/domain_record.cgi
index daf35ad6d..2e427e4fb 100755
--- a/httemplate/edit/process/domain_record.cgi
+++ b/httemplate/edit/process/domain_record.cgi
@@ -1,36 +1,30 @@
-%
-%
-%my $recnum = $cgi->param('recnum');
-%
-%my $old = qsearchs('agent',{'recnum'=>$recnum}) if $recnum;
-%
-%my $new = new FS::domain_record ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('domain_record')
-%} );
-%
-%my $error;
-%if ( $recnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $recnum=$new->getfield('recnum');
-%}
-%
 %if ( $error ) {
-%#  $cgi->param('error', $error);
-%#  print $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string );
-%  #no edit screen to send them back to
-%
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else { 
 %  my $svcnum = $new->svcnum;
-%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain nameservice');
+
+my $recnum = $cgi->param('recnum');
+
+my $old = qsearchs('agent',{'recnum'=>$recnum}) if $recnum;
+
+my $new = new FS::domain_record ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('domain_record')
+} );
+
+my $error;
+if ( $recnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $recnum=$new->getfield('recnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/generic.cgi b/httemplate/edit/process/generic.cgi
index e3ac113ae..642876386 100644
--- a/httemplate/edit/process/generic.cgi
+++ b/httemplate/edit/process/generic.cgi
@@ -1,73 +1,77 @@
-%# Welcome to generic.cgi.
-%# 
-%# This script provides a generic edit/process/ backend for simple table 
-%# editing.  All it knows how to do is take the values entered into 
-%# the script and insert them into the table specified by $cgi->param('table').
-%# If there's an existing record with the same primary key, it will be 
-%# replaced.  (Deletion will be added in the future.)
-%# 
-%# also see elements/process.html, newer and somewhat along the same lines,
-%# though it still makes you setup a process file for the table.
-%# perhaps safer, perhaps more of a pain in the ass.
-%# 
-%# Special cgi params for this script:
-%# table: the name of the table to be edited.  The script will die horribly 
-%#        if it can't find the table.
-%# redirect_ok: URL to be displayed after a successful edit.  The value of 
-%#              the record's primary key will be passed as a keyword.
-%#              Defaults to (freeside root)/view/$table.cgi.
-%# redirect_error: URL to be displayed if there's an error.  The original 
-%#                 query string, plus the error message, will be passed.
-%#                 Defaults to $cgi->referer() (i.e. go back where you 
-%#                 came from).
-%
-%
-%use FS::Record qw(qsearchs dbdef);
-%use DBIx::DBSchema;
-%use DBIx::DBSchema::Table;
-%
-%
-%my $error;
-%my $p2 = popurl(2);
-%my $p3 = popurl(3);
-%my $table = $cgi->param('table');
-%my $dbdef = dbdef or die "Cannot fetch dbdef!";
-%
-%my $dbdef_table = $dbdef->table($table) or die "Cannot fetch schema for $table";
-%
-%my $pkey = $dbdef_table->primary_key or die "Cannot fetch pkey for $table";
-%my $pkey_val = $cgi->param($pkey);
-%
-%
-%#warn "new FS::Record ( $table, (hashref) )";
-%my $new = FS::Record::new ( "FS::$table", {
-%    map { $_, scalar($cgi->param($_)) } fields($table) 
-%} );
-%
-%#warn 'created $new of class '.ref($new);
-%
-%if($pkey_val and (my $old = qsearchs($table, { $pkey, $pkey_val} ))) {
-%  # edit
-%  $error = $new->replace($old);
-%} else {
-%  #add
-%  $error = $new->insert;
-%  $pkey_val = $new->getfield($pkey);
-%  # New records usually don't have their primary keys set until after 
-%  # they've been checked/inserted, so grab the new $pkey_val so we can 
-%  # redirect to it.
-%}
-%
-%my $redirect_ok = (($cgi->param('redirect_ok')) ?
-%                    $cgi->param('redirect_ok') : $p3."browse/generic.cgi?$table");
-%my $redirect_error = (($cgi->param('redirect_error')) ?
-%                       $cgi->param('redirect_error') : $cgi->referer());
-%
 %if($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect($redirect_error . '?' . $cgi->query_string);
+<% $cgi->redirect($redirect_error . '?' . $cgi->query_string) %>
 %} else {
-%  print $cgi->redirect($redirect_ok);
+<% $cgi->redirect($redirect_ok) %>
 %}
-%
+<%doc>
+
+See elements/process.html, newer and somewhat along the same lines,
+though it still makes you setup a process file for the table.
+Perhaps safer, perhaps more of a pain in the ass.
+
+In any case, this is probably pretty deprecated; it is only used by
+part_virtual_field.cgi, and so its ACL is hardcoded to 'Configuration'.
+
+Welcome to generic.cgi.
+
+This script provides a generic edit/process/ backend for simple table 
+editing.  All it knows how to do is take the values entered into 
+the script and insert them into the table specified by $cgi->param('table').
+If there's an existing record with the same primary key, it will be 
+replaced.  (Deletion will be added in the future.)
+
+Special cgi params for this script:
+table: the name of the table to be edited.  The script will die horribly 
+       if it can't find the table.
+redirect_ok: URL to be displayed after a successful edit.  The value of 
+             the record's primary key will be passed as a keyword.
+             Defaults to (freeside root)/view/$table.cgi.
+redirect_error: URL to be displayed if there's an error.  The original 
+                query string, plus the error message, will be passed.
+                Defaults to $cgi->referer() (i.e. go back where you 
+                came from).
+
+</%doc>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $error;
+my $p2 = popurl(2);
+my $p3 = popurl(3);
+my $table = $cgi->param('table');
+my $dbdef = dbdef or die "Cannot fetch dbdef!";
+
+my $dbdef_table = $dbdef->table($table) or die "Cannot fetch schema for $table";
+
+my $pkey = $dbdef_table->primary_key or die "Cannot fetch pkey for $table";
+my $pkey_val = $cgi->param($pkey);
+
+
+#warn "new FS::Record ( $table, (hashref) )";
+my $new = FS::Record::new ( "FS::$table", {
+    map { $_, scalar($cgi->param($_)) } fields($table) 
+} );
+
+#warn 'created $new of class '.ref($new);
+
+if($pkey_val and (my $old = qsearchs($table, { $pkey, $pkey_val} ))) {
+  # edit
+  $error = $new->replace($old);
+} else {
+  #add
+  $error = $new->insert;
+  $pkey_val = $new->getfield($pkey);
+  # New records usually don't have their primary keys set until after 
+  # they've been checked/inserted, so grab the new $pkey_val so we can 
+  # redirect to it.
+}
+
+my $redirect_ok = (($cgi->param('redirect_ok')) ?
+                    $cgi->param('redirect_ok') : $p3."browse/generic.cgi?$table");
+my $redirect_error = (($cgi->param('redirect_error')) ?
+                       $cgi->param('redirect_error') : $cgi->referer());
 
+</%init>
diff --git a/httemplate/edit/process/inventory_class.html b/httemplate/edit/process/inventory_class.html
index c7be9e8dd..dbf978e72 100644
--- a/httemplate/edit/process/inventory_class.html
+++ b/httemplate/edit/process/inventory_class.html
@@ -3,3 +3,9 @@
                'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/msgcat.cgi b/httemplate/edit/process/msgcat.cgi
index 9711143d6..7175fa2b3 100644
--- a/httemplate/edit/process/msgcat.cgi
+++ b/httemplate/edit/process/msgcat.cgi
@@ -1,21 +1,22 @@
-%
-%
-%my $error;
-%foreach my $param ( grep { /^\d+$/ } $cgi->param ) {
-%  my $old = qsearchs('msgcat', { msgnum=>$param } );
-%  next if $old->msg eq $cgi->param($param); #no need to update identical records
-%  my $new = new FS::msgcat { $old->hash };
-%  $new->msg($cgi->param($param));
-%  $error = $new->replace($old);
-%  last if $error;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error',$error);
-%  print $cgi->redirect($p. "msgcat.cgi?". $cgi->query_string );
+<% $cgi->redirect($p. "msgcat.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/msgcat.cgi");
+<% $cgi->redirect(popurl(3). "browse/msgcat.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $error;
+foreach my $param ( grep { /^\d+$/ } $cgi->param ) {
+  my $old = qsearchs('msgcat', { msgnum=>$param } );
+  next if $old->msg eq $cgi->param($param); #no need to update identical records
+  my $new = new FS::msgcat { $old->hash };
+  $new->msg($cgi->param($param));
+  $error = $new->replace($old);
+  last if $error;
+}
 
+</%init>
diff --git a/httemplate/edit/process/part_bill_event.cgi b/httemplate/edit/process/part_bill_event.cgi
index af594f264..3534519fd 100755
--- a/httemplate/edit/process/part_bill_event.cgi
+++ b/httemplate/edit/process/part_bill_event.cgi
@@ -1,89 +1,92 @@
-%
-%my $eventpart = $cgi->param('eventpart');
-%
-%my $old = qsearchs('part_bill_event',{'eventpart'=>$eventpart}) if $eventpart;
-%
-%#s/days/seconds/
-%$cgi->param('seconds', int( $cgi->param('days') * 86400 ) );
-%
-%my $error;
-%if ( ! $cgi->param('plan_weight_eventcode') ) {
-%  $error = "Must select an action";
-%} else {
-%
-%  $cgi->param('plan_weight_eventcode') =~ /^([\w\-]+):(\d+):(.*)$/s
-%    or die "illegal plan_weight_eventcode:".
-%           $cgi->param('plan_weight_eventcode');
-%  $cgi->param('plan', $1);
-%  $cgi->param('weight', $2);
-%  my $eventcode = $3;
-%  my $plandata = '';
-%
-%  my $rnum;
-%  my $rtype;
-%  my $reasonm;
-%  my $class  = '';
-%  $class='c' if ($eventcode =~ /cancel/);
-%  $class='s' if ($eventcode =~ /suspend/);
-%  if ($class) {
-%    $cgi->param("${class}reason") =~ /^(-?\d+)$/
-%      or $error =  "Invalid ${class}reason";
-%    $rnum = $1;
-%    if ($rnum == -1) {
-%      $cgi->param("new${class}reasonT") =~ /^(\d+)$/
-%        or $error =  "Invalid new${class}reasonT";
-%      $rtype = $1;
-%      $cgi->param("new${class}reason") =~ /^([\s\w]+)$/
-%        or $error = "Invalid new${class}reason";
-%      $reasonm = $1;
-%    }
-%  }
-% 
-%  if ($rnum == -1 && !$error) {
-%    my $reason = new FS::reason ({ 'reason'      => $reasonm,
-%                                   'reason_type' => $rtype,
-%                                 });
-%    $error = $reason->insert;
-%    unless ($error) {
-%      $rnum = $reason->reasonnum;
-%      $cgi->param("${class}reason", $rnum);
-%      $cgi->param("new${class}reason", '');
-%      $cgi->param("new${class}reasonT", '');
-%    }
-%  }
-%
-%  while ( $eventcode =~ /%%%(\w+)%%%/ ) {
-%    my $field = $1;
-%    my $value = join(', ', $cgi->param($field) );
-%    $cgi->param($field, $value); #in case it errors out
-%    $eventcode =~ s/%%%$field%%%/$value/;
-%    $plandata .= "$field $value\n";
-%  }
-%  $cgi->param('eventcode', $eventcode);
-%  $cgi->param('plandata', $plandata);
-%
-%  unless($error){
-%    my $new = new FS::part_bill_event ( {
-%      map {
-%        $_, scalar($cgi->param($_));
-%      } fields('part_bill_event'),
-%    } );
-%    $new->setfield('reason', $rnum);
-%
-%    if ( $eventpart ) {
-%      $error = $new->replace($old);
-%    } else {
-%      $error = $new->insert;
-%      $eventpart = $new->getfield('eventpart');
-%    }
-%  }
-%} 
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "part_bill_event.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_bill_event.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3)."browse/part_bill_event.cgi");
+<% $cgi->redirect(popurl(3)."browse/part_bill_event.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $eventpart = $cgi->param('eventpart');
+
+my $old = qsearchs('part_bill_event',{'eventpart'=>$eventpart}) if $eventpart;
+
+#s/days/seconds/
+$cgi->param('seconds', int( $cgi->param('days') * 86400 ) );
+
+my $error;
+if ( ! $cgi->param('plan_weight_eventcode') ) {
+  $error = "Must select an action";
+} else {
+
+  $cgi->param('plan_weight_eventcode') =~ /^([\w\-]+):(\d+):(.*)$/s
+    or die "illegal plan_weight_eventcode:".
+           $cgi->param('plan_weight_eventcode');
+  $cgi->param('plan', $1);
+  $cgi->param('weight', $2);
+  my $eventcode = $3;
+  my $plandata = '';
+
+  my $rnum;
+  my $rtype;
+  my $reasonm;
+  my $class  = '';
+  $class='c' if ($eventcode =~ /cancel/);
+  $class='s' if ($eventcode =~ /suspend/);
+  if ($class) {
+    $cgi->param("${class}reason") =~ /^(-?\d+)$/
+      or $error =  "Invalid ${class}reason";
+    $rnum = $1;
+    if ($rnum == -1) {
+      $cgi->param("new${class}reasonT") =~ /^(\d+)$/
+        or $error =  "Invalid new${class}reasonT";
+      $rtype = $1;
+      $cgi->param("new${class}reason") =~ /^([\s\w]+)$/
+        or $error = "Invalid new${class}reason";
+      $reasonm = $1;
+    }
+  }
+ 
+  if ($rnum == -1 && !$error) {
+    my $reason = new FS::reason ({ 'reason'      => $reasonm,
+                                   'reason_type' => $rtype,
+                                 });
+    $error = $reason->insert;
+    unless ($error) {
+      $rnum = $reason->reasonnum;
+      $cgi->param("${class}reason", $rnum);
+      $cgi->param("new${class}reason", '');
+      $cgi->param("new${class}reasonT", '');
+    }
+  }
+
+  while ( $eventcode =~ /%%%(\w+)%%%/ ) {
+    my $field = $1;
+    my $value = join(', ', $cgi->param($field) );
+    $cgi->param($field, $value); #in case it errors out
+    $eventcode =~ s/%%%$field%%%/$value/;
+    $plandata .= "$field $value\n";
+  }
+  $cgi->param('eventcode', $eventcode);
+  $cgi->param('plandata', $plandata);
+
+  unless($error){
+    my $new = new FS::part_bill_event ( {
+      map {
+        $_, scalar($cgi->param($_));
+      } fields('part_bill_event'),
+    } );
+    $new->setfield('reason', $rnum);
+
+    if ( $eventpart ) {
+      $error = $new->replace($old);
+    } else {
+      $error = $new->insert;
+      $eventpart = $new->getfield('eventpart');
+    }
+  }
+} 
+
+</%init>
diff --git a/httemplate/edit/process/part_export.cgi b/httemplate/edit/process/part_export.cgi
index 0dd9eabae..b5f82e892 100644
--- a/httemplate/edit/process/part_export.cgi
+++ b/httemplate/edit/process/part_export.cgi
@@ -1,40 +1,41 @@
-%
-%
-%my $exportnum = $cgi->param('exportnum');
-%
-%my $old = qsearchs('part_export', { 'exportnum'=>$exportnum } ) if $exportnum;
-%
-%#fixup options
-%#warn join('-', split(',',$cgi->param('options')));
-%my %options = map {
-%  my $value = $cgi->param($_);
-%  $value =~ s/\r\n/\n/g; #browsers? (textarea)
-%  $_ => $value;
-%} split(',', $cgi->param('options'));
-%
-%my $new = new FS::part_export ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('part_export')
-%} );
-%
-%my $error;
-%if ( $exportnum ) {
-%  #warn $old;
-%  #warn $exportnum;
-%  #warn $new->machine;
-%  $error = $new->replace($old,\%options);
-%} else {
-%  $error = $new->insert(\%options);
-%#  $exportnum = $new->exportnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error );
-%  print $cgi->redirect(popurl(2). "part_export.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_export.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/part_export.cgi");
+<% $cgi->redirect(popurl(3). "browse/part_export.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $exportnum = $cgi->param('exportnum');
+
+my $old = qsearchs('part_export', { 'exportnum'=>$exportnum } ) if $exportnum;
+
+#fixup options
+#warn join('-', split(',',$cgi->param('options')));
+my %options = map {
+  my $value = $cgi->param($_);
+  $value =~ s/\r\n/\n/g; #browsers? (textarea)
+  $_ => $value;
+} split(',', $cgi->param('options'));
+
+my $new = new FS::part_export ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('part_export')
+} );
+
+my $error;
+if ( $exportnum ) {
+  #warn $old;
+  #warn $exportnum;
+  #warn $new->machine;
+  $error = $new->replace($old,\%options);
+} else {
+  $error = $new->insert(\%options);
+#  $exportnum = $new->exportnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi
index b29e96305..f4d0c209e 100755
--- a/httemplate/edit/process/part_pkg.cgi
+++ b/httemplate/edit/process/part_pkg.cgi
@@ -1,103 +1,111 @@
-%
-%
-%my $dbh = dbh;
-%my $conf = new FS::Conf;
-%
-%my $pkgpart = $cgi->param('pkgpart');
-%
-%my $old = qsearchs('part_pkg',{'pkgpart'=>$pkgpart}) if $pkgpart;
-%
-%tie my %plans, 'Tie::IxHash', %{ FS::part_pkg::plan_info() };
-%my $href = $plans{$cgi->param('plan')}->{'fields'};
-%
-%#fixup plandata
-%my $error;
-%my $plandata = $cgi->param('plandata');
-%my @plandata = split(',', $plandata);
-%$cgi->param('plandata', 
-%  join('', map { my $parser = sub { shift };
-%                 $parser = $href->{$_}{parse} if exists($href->{$_}{parse});
-%                 my $value = join(', ', &$parser($cgi->param($_)));
-%                 my $check = $href->{$_}{check};
-%                 if ( $check && ! &$check($value) ) {
-%                   $value = join(', ', $cgi->param($_));
-%                   $error ||= "Illegal ". ($href->{$_}{name}||$_). ": $value";
-%                 }
-%                 "$_=$value\n";
-%               } @plandata )
-%);
-%
-%foreach (qw( setuptax recurtax disabled )) {
-%  $cgi->param($_, '') unless defined $cgi->param($_);
-%}
-%
-%my @agents;
-%foreach ($cgi->param('agent_type')) {
-%  /^(\d+)$/;
-%  push @agents, $1 if $1;
-%}
-%$error = "At least one agent type must be specified."
-%  unless( scalar(@agents) ||
-%          $cgi->param('clone') && $cgi->param('clone') =~ /^\d+$/ ||
-%          !$pkgpart && $conf->exists('agent-defaultpkg')
-%        );
-%
-%my $new = new FS::part_pkg ( {
-%  map {
-%    $_ => scalar($cgi->param($_));
-%  } fields('part_pkg')
-%} );
-%
-%my $oldAutoCommit = $FS::UID::AutoCommit;
-%local $FS::UID::AutoCommit = 0;
-%
-%my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
-%              map { $_->svcpart }
-%              qsearch('part_svc', {} );
-%
-%my $custnum = '';
-%if ( $error ) {
-%
-% # fall through
-%
-%} elsif ( $cgi->param('taxclass') eq '(select)' ) {
-%
-%  $error = 'Must select a tax class';
-%
-%} elsif ( $pkgpart ) {
-%
-%  $error = $new->replace( $old,
-%                          pkg_svc     => \%pkg_svc,
-%                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
-%                        );
-%} else {
-%
-%  $error = $new->insert(  pkg_svc     => \%pkg_svc,
-%                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
-%                          cust_pkg    => $cgi->param('pkgnum'),
-%                          custnum_ref => \$custnum,
-%                       );
-%  $pkgpart = $new->pkgpart;
-%}
-%
-%unless ( $error || $conf->exists('agent_defaultpkg') ) {
-%  my $error = $new->process_m2m(
-%    'link_table'   => 'type_pkgs',
-%    'target_table' => 'agent_type',
-%    'params'       => \@agents,
-%  );
-%}
 %if ( $error ) {
 %  $dbh->rollback if $oldAutoCommit;
 %  $cgi->param('error', $error );
-%  print $cgi->redirect(popurl(2). "part_pkg.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_pkg.cgi?". $cgi->query_string ) %>
 %} elsif ( $custnum )  {
 %  $dbh->commit or die $dbh->errstr if $oldAutoCommit;
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 %} else {
 %  $dbh->commit or die $dbh->errstr if $oldAutoCommit;
-%  print $cgi->redirect(popurl(3). "browse/part_pkg.cgi");
+<% $cgi->redirect(popurl(3). "browse/part_pkg.cgi") %>
 %}
-%
-%
+<%init>
+
+#1.7
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+#1.9
+#die "access denied"
+#  unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions')
+#      || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions');
+
+my $dbh = dbh;
+my $conf = new FS::Conf;
+
+my $pkgpart = $cgi->param('pkgpart');
+
+my $old = qsearchs('part_pkg',{'pkgpart'=>$pkgpart}) if $pkgpart;
+
+tie my %plans, 'Tie::IxHash', %{ FS::part_pkg::plan_info() };
+my $href = $plans{$cgi->param('plan')}->{'fields'};
+
+#fixup plandata
+my $error;
+my $plandata = $cgi->param('plandata');
+my @plandata = split(',', $plandata);
+$cgi->param('plandata', 
+  join('', map { my $parser = sub { shift };
+                 $parser = $href->{$_}{parse} if exists($href->{$_}{parse});
+                 my $value = join(', ', &$parser($cgi->param($_)));
+                 my $check = $href->{$_}{check};
+                 if ( $check && ! &$check($value) ) {
+                   $value = join(', ', $cgi->param($_));
+                   $error ||= "Illegal ". ($href->{$_}{name}||$_). ": $value";
+                 }
+                 "$_=$value\n";
+               } @plandata )
+);
+
+foreach (qw( setuptax recurtax disabled )) {
+  $cgi->param($_, '') unless defined $cgi->param($_);
+}
+
+my @agents;
+foreach ($cgi->param('agent_type')) {
+  /^(\d+)$/;
+  push @agents, $1 if $1;
+}
+$error = "At least one agent type must be specified."
+  unless( scalar(@agents) ||
+          $cgi->param('clone') && $cgi->param('clone') =~ /^\d+$/ ||
+          !$pkgpart && $conf->exists('agent-defaultpkg')
+        );
+
+my $new = new FS::part_pkg ( {
+  map {
+    $_ => scalar($cgi->param($_));
+  } fields('part_pkg')
+} );
+
+my $oldAutoCommit = $FS::UID::AutoCommit;
+local $FS::UID::AutoCommit = 0;
+
+my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
+              map { $_->svcpart }
+              qsearch('part_svc', {} );
+
+my $custnum = '';
+if ( $error ) {
+
+ # fall through
+
+} elsif ( $cgi->param('taxclass') eq '(select)' ) {
+
+  $error = 'Must select a tax class';
+
+} elsif ( $pkgpart ) {
+
+  $error = $new->replace( $old,
+                          pkg_svc     => \%pkg_svc,
+                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
+                        );
+} else {
+
+  $error = $new->insert(  pkg_svc     => \%pkg_svc,
+                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
+                          cust_pkg    => $cgi->param('pkgnum'),
+                          custnum_ref => \$custnum,
+                       );
+  $pkgpart = $new->pkgpart;
+}
+
+unless ( $error || $conf->exists('agent_defaultpkg') ) {
+  my $error = $new->process_m2m(
+    'link_table'   => 'type_pkgs',
+    'target_table' => 'agent_type',
+    'params'       => \@agents,
+  );
+}
+
+</%init>
 
diff --git a/httemplate/edit/process/part_referral.html b/httemplate/edit/process/part_referral.html
index 14c1b7001..40cbc97bf 100755
--- a/httemplate/edit/process/part_referral.html
+++ b/httemplate/edit/process/part_referral.html
@@ -3,3 +3,10 @@
                  'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit advertising sources')
+      || $FS::CurrentUser::CurrentUser->access_right('Edit global advertising sources');
+
+</%init>
diff --git a/httemplate/edit/process/part_svc.cgi b/httemplate/edit/process/part_svc.cgi
index 97abc5baf..65de3fc6c 100755
--- a/httemplate/edit/process/part_svc.cgi
+++ b/httemplate/edit/process/part_svc.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/payment_gateway.html b/httemplate/edit/process/payment_gateway.html
index 0b7e31395..b16bc3d27 100644
--- a/httemplate/edit/process/payment_gateway.html
+++ b/httemplate/edit/process/payment_gateway.html
@@ -1,34 +1,35 @@
-%
-%
-%my $gatewaynum = $cgi->param('gatewaynum');
-%
-%my $old = qsearchs('payment_gateway',{'gatewaynum'=>$gatewaynum}) if $gatewaynum;
-%
-%my $new = new FS::payment_gateway ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('payment_gateway')
-%} );
-%
-%my @options = split(/\r?\n/, $cgi->param('gateway_options') );
-%pop @options
-%  if scalar(@options) % 2 && $options[-1] =~ /^\s*$/;
-%my %options = @options;
-%
-%my $error;
-%if ( $gatewaynum ) {
-%  $error=$new->replace($old, \%options);
-%} else {
-%  $error=$new->insert(\%options);
-%  $gatewaynum=$new->getfield('gatewaynum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "payment_gateway.html?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "payment_gateway.html?". $cgi->query_string ) %>
 %} else { 
-%  print $cgi->redirect(popurl(3). "browse/payment_gateway.html");
+<% $cgi->redirect(popurl(3). "browse/payment_gateway.html") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $gatewaynum = $cgi->param('gatewaynum');
+
+my $old = qsearchs('payment_gateway',{'gatewaynum'=>$gatewaynum}) if $gatewaynum;
+
+my $new = new FS::payment_gateway ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('payment_gateway')
+} );
+
+my @options = split(/\r?\n/, $cgi->param('gateway_options') );
+pop @options
+  if scalar(@options) % 2 && $options[-1] =~ /^\s*$/;
+my %options = @options;
+
+my $error;
+if ( $gatewaynum ) {
+  $error=$new->replace($old, \%options);
+} else {
+  $error=$new->insert(\%options);
+  $gatewaynum=$new->getfield('gatewaynum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/pkg_class.html b/httemplate/edit/process/pkg_class.html
index 183da805c..b196df3f7 100644
--- a/httemplate/edit/process/pkg_class.html
+++ b/httemplate/edit/process/pkg_class.html
@@ -3,3 +3,9 @@
                'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/prepay_credit.cgi b/httemplate/edit/process/prepay_credit.cgi
index 518f79d86..24ce25608 100644
--- a/httemplate/edit/process/prepay_credit.cgi
+++ b/httemplate/edit/process/prepay_credit.cgi
@@ -36,8 +36,7 @@
 
 
 <% include("/elements/header.html", "$num prepaid cards generated".
-              ( $agent ? ' for '.$agent->agent : '' ),
-            menubar( 'Main menu' => popurl(3) )
+              ( $agent ? ' for '.$agent->agent : '' )
           )
 %>
 
@@ -60,4 +59,9 @@
 
 </BODY></HTML>
 % } 
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/quick-charge.cgi b/httemplate/edit/process/quick-charge.cgi
index 4a090f9de..3c7cac51d 100644
--- a/httemplate/edit/process/quick-charge.cgi
+++ b/httemplate/edit/process/quick-charge.cgi
@@ -1,46 +1,49 @@
-%
-%  my $error = '';
-%  my $param = $cgi->Vars;
-%
-%  my @description = ();
-%  for ( my $row = 0; exists($param->{"description$row"}); $row++ ) {
-%    push @description, $param->{"description$row"}
-%      if ($param->{"description$row"} =~ /\S/);
-%  }
-%
-%  $param->{"custnum"} =~ /^(\d+)$/
-%    or $error .= "Illegal customer number " . $param->{"custnum"} . "  ";
-%  my $custnum = $1;
-%
-%  $param->{"amount"} =~ /^\s*(\d+(\.\d{1,2})?)\s*$/
-%    or $error .= "Illegal amount " . $param->{"amount"} . "  ";
-%  my $amount = $1;
-%
-%  if ( $param->{'taxclass'} eq '(select)' ) {
-%    $error .= "Must select a tax class.  ";
-%  }
-%
-%  unless ( $error ) {
-%    my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
-%      or $error .= "Unknown customer number $custnum.  ";
-%
-%    $error ||= $cust_main->charge( {
-%      'amount'     => $amount,
-%      'pkg'        => scalar($cgi->param('pkg')),
-%      'taxclass'   => scalar($cgi->param('taxclass')),
-%      'additional' => \@description,
-%    } );
-%  }
-%
-%  if ( $error ) {
-%
-%    $cgi->param('error', $error );
-%    
+% if ( $error ) {
+%   $cgi->param('error', $error );
 <% $cgi->redirect($p.'quick-charge.html?'. $cgi->query_string) %>
-%
-% }
+% } else {
 <% header("One-time charge added") %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
   </BODY></HTML>
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('One-time charge');
+
+my $error = '';
+my $param = $cgi->Vars;
+
+my @description = ();
+for ( my $row = 0; exists($param->{"description$row"}); $row++ ) {
+  push @description, $param->{"description$row"}
+    if ($param->{"description$row"} =~ /\S/);
+}
+
+$param->{"custnum"} =~ /^(\d+)$/
+  or $error .= "Illegal customer number " . $param->{"custnum"} . "  ";
+my $custnum = $1;
+
+$param->{"amount"} =~ /^\s*(\d+(\.\d{1,2})?)\s*$/
+  or $error .= "Illegal amount " . $param->{"amount"} . "  ";
+my $amount = $1;
+
+if ( $param->{'taxclass'} eq '(select)' ) {
+  $error .= "Must select a tax class.  ";
+}
+
+unless ( $error ) {
+  my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
+    or $error .= "Unknown customer number $custnum.  ";
+
+  $error ||= $cust_main->charge( {
+    'amount'     => $amount,
+    'pkg'        => scalar($cgi->param('pkg')),
+    'taxclass'   => scalar($cgi->param('taxclass')),
+    'additional' => \@description,
+  } );
+}
+
+</%init>
diff --git a/httemplate/edit/process/quick-cust_pkg.cgi b/httemplate/edit/process/quick-cust_pkg.cgi
index 66d02e307..6b65653c2 100644
--- a/httemplate/edit/process/quick-cust_pkg.cgi
+++ b/httemplate/edit/process/quick-cust_pkg.cgi
@@ -1,17 +1,6 @@
-%#untaint custnum
-%$cgi->param('custnum') =~ /^(\d+)$/
-%  or die 'illegal custnum '. $cgi->param('custnum');
-%my $custnum = $1;
-%$cgi->param('pkgpart') =~ /^(\d+)$/
-%  or die 'illegal pkgpart '. $cgi->param('pkgpart');
-%my $pkgpart = $1;
-%
-%my @cust_pkg = ();
-%my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string );
+<% $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string ) %>
 %} else {
 %  my $frag = "cust_pkg". $cust_pkg[0]->pkgnum;
 <% header('Package ordered') %>
@@ -25,3 +14,20 @@
 
   </BODY></HTML>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Order customer package');
+
+#untaint custnum
+$cgi->param('custnum') =~ /^(\d+)$/
+  or die 'illegal custnum '. $cgi->param('custnum');
+my $custnum = $1;
+$cgi->param('pkgpart') =~ /^(\d+)$/
+  or die 'illegal pkgpart '. $cgi->param('pkgpart');
+my $pkgpart = $1;
+
+my @cust_pkg = ();
+my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
+
+</%init>
diff --git a/httemplate/edit/process/rate.cgi b/httemplate/edit/process/rate.cgi
index c81f883b7..48d9322ca 100755
--- a/httemplate/edit/process/rate.cgi
+++ b/httemplate/edit/process/rate.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::rate::process', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::rate::process', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/reason.html b/httemplate/edit/process/reason.html
index 55c1ea958..cb79ed254 100644
--- a/httemplate/edit/process/reason.html
+++ b/httemplate/edit/process/reason.html
@@ -4,3 +4,9 @@
 	                      $cgi->param('class') . '&',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/reason_type.html b/httemplate/edit/process/reason_type.html
index 4ccccaddd..3172b27c4 100644
--- a/httemplate/edit/process/reason_type.html
+++ b/httemplate/edit/process/reason_type.html
@@ -4,3 +4,9 @@
 	                         $cgi->param('class') . '&',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/reg_code.cgi b/httemplate/edit/process/reg_code.cgi
index d93bb55a2..c4327991d 100644
--- a/httemplate/edit/process/reg_code.cgi
+++ b/httemplate/edit/process/reg_code.cgi
@@ -1,50 +1,46 @@
-%
-%
-%$cgi->param('agentnum') =~ /^(\d+)$/
-%  or errorpage('illegal agentnum '. $cgi->param('agentnum'));
-%my $agentnum = $1;
-%my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
-%
-%my $error = '';
-%
-%my $num = 0;
-%if ( $cgi->param('num') =~ /^\s*(\d+)\s*$/ ) {
-%  $num = $1;
-%} else {
-%  $error = 'Illegal number of codes: '. $cgi->param('num');
-%}
-%
-%my @pkgparts = 
-%  map  { /^pkgpart(.*)$/; $1 }
-%  grep { $cgi->param($_) }
-%  grep { /^pkgpart/ }
-%  $cgi->param;
-%
-%$error ||= $agent->generate_reg_codes($num, \@pkgparts);
-%
 %unless ( ref($error) ) {
 %  $cgi->param('error'. $error );
-%
-<%
-  $cgi->redirect(popurl(3). "edit/reg_code.cgi?". $cgi->query_string )
-%>
+<% $cgi->redirect(popurl(3). "edit/reg_code.cgi?". $cgi->query_string ) %>
 % } else { 
 
-
 <% include("/elements/header.html","$num registration codes generated for ". $agent->agent, menubar(
-  'Main menu'       => popurl(3),
   'View all agents' => popurl(3). 'browse/agent.cgi',
 ) ) %>
 
 <PRE><FONT SIZE="+1">
 % foreach my $code ( @$error ) { 
-
   <% $code %>
 % } 
-
-
 </FONT></PRE>
 
-</BODY></HTML>
+<% include('/elements/footer.html') %>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('agentnum') =~ /^(\d+)$/
+  or errorpage('illegal agentnum '. $cgi->param('agentnum'));
+my $agentnum = $1;
+my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
+
+my $error = '';
+
+my $num = 0;
+if ( $cgi->param('num') =~ /^\s*(\d+)\s*$/ ) {
+  $num = $1;
+} else {
+  $error = 'Illegal number of codes: '. $cgi->param('num');
+}
+
+my @pkgparts = 
+  map  { /^pkgpart(.*)$/; $1 }
+  grep { $cgi->param($_) }
+  grep { /^pkgpart/ }
+  $cgi->param;
+
+$error ||= $agent->generate_reg_codes($num, \@pkgparts);
+
+</%init>
 
diff --git a/httemplate/edit/process/router.cgi b/httemplate/edit/process/router.cgi
index c69114ea4..7e0baf782 100644
--- a/httemplate/edit/process/router.cgi
+++ b/httemplate/edit/process/router.cgi
@@ -1,5 +1,3 @@
-%
-%
 %local $FS::UID::AutoCommit=0;
 %
 %sub check {
@@ -64,5 +62,9 @@
 %dbh->commit or die dbh->errstr;
 %print $cgi->redirect(popurl(3). "browse/router.cgi");
 %
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
 
+</%init>
diff --git a/httemplate/edit/process/svc_Common.html b/httemplate/edit/process/svc_Common.html
index f5c869a12..cf5f01f71 100644
--- a/httemplate/edit/process/svc_Common.html
+++ b/httemplate/edit/process/svc_Common.html
@@ -1,13 +1,16 @@
+<% include( 'elements/svc_Common.html',
+              'table'    => $table,
+	      'redirect' => popurl(3)."view/svc_Common.html?svcdb=$table;svcnum=",
+	      'error_redirect' => popurl(3)."edit/svc_Common.html?svcdb=$table;",
+	  )
+%>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
 $cgi->param('svcdb') =~ /^(svc_\w+)$/ or die "unparsable svcdb";
 my $table = $1;
 require "FS/$table.pm";
 
 </%init>
-<% include( 'elements/svc_Common.html',
-              'table'    => $table,
-	      'redirect' => popurl(3)."view/svc_Common.html?svcdb=$table;svcnum=",
-	      'error_redirect' => popurl(3)."edit/svc_Common.html?svcdb=$table;",
-	  )
-%>
diff --git a/httemplate/edit/process/svc_acct.cgi b/httemplate/edit/process/svc_acct.cgi
index d9aac9fac..0a89e253c 100755
--- a/httemplate/edit/process/svc_acct.cgi
+++ b/httemplate/edit/process/svc_acct.cgi
@@ -1,63 +1,64 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_acct', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find account (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%#unmunge popnum
-%$cgi->param('popnum', (split(/:/, $cgi->param('popnum') ))[0] );
-%
-%#unmunge passwd
-%if ( $cgi->param('_password') eq '*HIDDEN*' ) {
-%  die "fatal: no previous account to recall hidden password from!" unless $old;
-%  $cgi->param('_password',$old->getfield('_password'));
-%}
-%
-%#unmunge usergroup
-%$cgi->param('usergroup', [ $cgi->param('radius_usergroup') ] );
-%
-%#unmunge bytecounts
-%foreach (map { $_,$_."_threshold" } qw( upbytes downbytes totalbytes )) {
-%  $cgi->param($_, FS::UI::bytecount::parse_bytecount($cgi->param($_)) );
-%}
-%
-%my %hash = $svcnum ? $old->hash : ();
-%map {
-%    $hash{$_} = scalar($cgi->param($_));
-%  #} qw(svcnum pkgnum svcpart username _password popnum uid gid finger dir
-%  #  shell quota slipip)
-%  } (fields('svc_acct'), qw ( pkgnum svcpart usergroup ));
-%my $new = new FS::svc_acct ( \%hash );
-%
-%my $error;
-%if ( $svcnum ) {
-%  foreach (grep { $old->$_ != $new->$_ } qw( seconds upbytes downbytes totalbytes )) {
-%    my %hash = map { $_ => $new->$_ } 
-%               grep { $new->$_ }
-%               qw( seconds upbytes downbytes totalbytes );
-%
-%    $error = $new->set_usage(\%hash);  #unoverlimit and trigger radius changes
-%    last;                              #once is enough
-%  }
-%  $error ||= $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_acct.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_acct.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_acct.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_acct.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_acct', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find account (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+#unmunge popnum
+$cgi->param('popnum', (split(/:/, $cgi->param('popnum') ))[0] );
+
+#unmunge passwd
+if ( $cgi->param('_password') eq '*HIDDEN*' ) {
+  die "fatal: no previous account to recall hidden password from!" unless $old;
+  $cgi->param('_password',$old->getfield('_password'));
+}
+
+#unmunge usergroup
+$cgi->param('usergroup', [ $cgi->param('radius_usergroup') ] );
+
+#unmunge bytecounts
+foreach (map { $_,$_."_threshold" } qw( upbytes downbytes totalbytes )) {
+  $cgi->param($_, FS::UI::bytecount::parse_bytecount($cgi->param($_)) );
+}
+
+my %hash = $svcnum ? $old->hash : ();
+map {
+    $hash{$_} = scalar($cgi->param($_));
+  #} qw(svcnum pkgnum svcpart username _password popnum uid gid finger dir
+  #  shell quota slipip)
+  } (fields('svc_acct'), qw ( pkgnum svcpart usergroup ));
+my $new = new FS::svc_acct ( \%hash );
+
+my $error;
+if ( $svcnum ) {
+  foreach (grep { $old->$_ != $new->$_ } qw( seconds upbytes downbytes totalbytes )) {
+    my %hash = map { $_ => $new->$_ } 
+               grep { $new->$_ }
+               qw( seconds upbytes downbytes totalbytes );
+
+    $error = $new->set_usage(\%hash);  #unoverlimit and trigger radius changes
+    last;                              #once is enough
+  }
+  $error ||= $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_acct_pop.cgi b/httemplate/edit/process/svc_acct_pop.cgi
index 9e9df7bf0..75b89c88f 100755
--- a/httemplate/edit/process/svc_acct_pop.cgi
+++ b/httemplate/edit/process/svc_acct_pop.cgi
@@ -1,29 +1,30 @@
-%
-%
-%my $popnum = $cgi->param('popnum');
-%
-%my $old = qsearchs('svc_acct_pop',{'popnum'=>$popnum}) if $popnum;
-%
-%my $new = new FS::svc_acct_pop ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('svc_acct_pop')
-%} );
-%
-%my $error = '';
-%if ( $popnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $popnum=$new->getfield('popnum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_acct_pop.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_acct_pop.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/svc_acct_pop.cgi");
+<% $cgi->redirect(popurl(3). "browse/svc_acct_pop.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $popnum = $cgi->param('popnum');
+
+my $old = qsearchs('svc_acct_pop',{'popnum'=>$popnum}) if $popnum;
+
+my $new = new FS::svc_acct_pop ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('svc_acct_pop')
+} );
+
+my $error = '';
+if ( $popnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $popnum=$new->getfield('popnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_broadband.cgi b/httemplate/edit/process/svc_broadband.cgi
index cf4604639..8600da349 100644
--- a/httemplate/edit/process/svc_broadband.cgi
+++ b/httemplate/edit/process/svc_broadband.cgi
@@ -1,37 +1,38 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_broadband', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find broadband service (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%my $new = new FS::svc_broadband ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_broadband'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
 %  $cgi->param('ip_addr', $new->ip_addr);
-%  print $cgi->redirect(popurl(2). "svc_broadband.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_broadband.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_broadband.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_broadband.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_broadband', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find broadband service (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+my $new = new FS::svc_broadband ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_broadband'), qw( pkgnum svcpart ) )
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_domain.cgi b/httemplate/edit/process/svc_domain.cgi
index 773143fe3..9993a879e 100755
--- a/httemplate/edit/process/svc_domain.cgi
+++ b/httemplate/edit/process/svc_domain.cgi
@@ -1,32 +1,33 @@
-%
-%
-%#remove this to actually test the domains!
-%$FS::svc_domain::whois_hack = 1;
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $new = new FS::svc_domain ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  #} qw(svcnum pkgnum svcpart domain action purpose)
-%  } ( fields('svc_domain'), qw( pkgnum svcpart action purpose ) )
-%} );
-%
-%my $error = '';
-%if ($cgi->param('svcnum')) {
-%  $error="Can't modify a domain!";
-%} else {
-%  $error=$new->insert;
-%  $svcnum=$new->svcnum;
-%}
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_domain.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_domain.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+#remove this to actually test the domains!
+$FS::svc_domain::whois_hack = 1;
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $new = new FS::svc_domain ( {
+  map {
+    $_, scalar($cgi->param($_));
+  #} qw(svcnum pkgnum svcpart domain action purpose)
+  } ( fields('svc_domain'), qw( pkgnum svcpart action purpose ) )
+} );
+
+my $error = '';
+if ($cgi->param('svcnum')) {
+  $error="Can't modify a domain!";
+} else {
+  $error=$new->insert;
+  $svcnum=$new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_external.cgi b/httemplate/edit/process/svc_external.cgi
index 97da6ba87..673e5a5a0 100755
--- a/httemplate/edit/process/svc_external.cgi
+++ b/httemplate/edit/process/svc_external.cgi
@@ -1,30 +1,31 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum =$1;
-%
-%my $old = qsearchs('svc_external',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::svc_external ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_external'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error = '';
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->getfield('svcnum');
-%} 
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_external.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_external.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_external.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_external.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum =$1;
+
+my $old = qsearchs('svc_external',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::svc_external ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_external'), qw( pkgnum svcpart ) )
+} );
+
+my $error = '';
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->getfield('svcnum');
+} 
 
+</%init>
diff --git a/httemplate/edit/process/svc_forward.cgi b/httemplate/edit/process/svc_forward.cgi
index 3205312f1..fffad84d6 100755
--- a/httemplate/edit/process/svc_forward.cgi
+++ b/httemplate/edit/process/svc_forward.cgi
@@ -1,30 +1,31 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum =$1;
-%
-%my $old = qsearchs('svc_forward',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::svc_forward ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_forward'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error = '';
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->getfield('svcnum');
-%} 
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_forward.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_forward.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_forward.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_forward.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum =$1;
+
+my $old = qsearchs('svc_forward',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::svc_forward ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_forward'), qw( pkgnum svcpart ) )
+} );
+
+my $error = '';
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->getfield('svcnum');
+} 
 
+</%init>
diff --git a/httemplate/edit/process/svc_phone.html b/httemplate/edit/process/svc_phone.html
index 44235de63..27a703cdf 100644
--- a/httemplate/edit/process/svc_phone.html
+++ b/httemplate/edit/process/svc_phone.html
@@ -2,3 +2,9 @@
                'table'    => 'svc_phone',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+</%init>
diff --git a/httemplate/edit/process/svc_www.cgi b/httemplate/edit/process/svc_www.cgi
index e9a52aff2..f02d25305 100644
--- a/httemplate/edit/process/svc_www.cgi
+++ b/httemplate/edit/process/svc_www.cgi
@@ -1,37 +1,38 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_www', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find website (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%my $new = new FS::svc_www ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  #} qw(svcnum pkgnum svcpart recnum usersvc)
-%  } ( fields('svc_www'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_www.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_www.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_www.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_www.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_www', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find website (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+my $new = new FS::svc_www ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  #} qw(svcnum pkgnum svcpart recnum usersvc)
+  } ( fields('svc_www'), qw( pkgnum svcpart ) )
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
-- 
cgit v1.2.1