1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
|
package FS::AccessRight;
use strict;
use vars qw(@rights); # %rights);
use Tie::IxHash;
=head1 NAME
FS::AccessRight - Access control rights.
=head1 SYNOPSIS
use FS::AccessRight;
my @rights = FS::AccessRight->rights;
#my %rights = FS::AccessRight->rights_categorized;
tie my %rights, 'Tie::IxHash', FS::AccessRight->rights_categorized;
foreach my $category ( keys %rights ) {
my @category_rights = @{ $rights{$category} };
}
=head1 DESCRIPTION
Access control rights - Permission to perform specific actions that can be
assigned to users and/or groups.
=cut
#@rights = (
# 'Reports' => [
# '_desc' => 'Access to high-level reporting',
# ],
# 'Configuration' => [
# '_desc' => 'Access to configuration',
#
# 'Settings' => {},
#
# 'agent' => [
# '_desc' => 'Master access to reseller configuration',
# 'agent_type' => {},
# 'agent' => {},
# ],
#
# 'export_svc_pkg' => [
# '_desc' => 'Access to export, service and package configuration',
# 'part_export' => {},
# 'part_svc' => {},
# 'part_pkg' => {},
# 'pkg_class' => {},
# ],
#
# 'billing' => [
# '_desc' => 'Access to billing configuration',
# 'payment_gateway' => {},
# 'part_bill_event' => {},
# 'prepay_credit' => {},
# 'rate' => {},
# 'cust_main_county' => {},
# ],
#
# 'dialup' => [
# '_desc' => 'Access to dialup configuraiton',
# 'svc_acct_pop' => {},
# ],
#
# 'broadband' => [
# '_desc' => 'Access to broadband configuration',
# 'router' => {},
# 'addr_block' => {},
# ],
#
# 'misc' => [
# 'part_referral' => {},
# 'part_virtual_field' => {},
# 'msgcat' => {},
# 'inventory_class' => {},
# ],
#
# },
#
#);
#
##turn it into a more hash-like structure, but ordered via IxHash
#well, this is what we have for now. getting better.
tie my %rights, 'Tie::IxHash',
###
# basic customer rights
###
'Customer rights' => [
'New customer',
'View customer',
#'View Customer | View tickets',
'Edit customer',
'View customer history',
'Cancel customer',
'Complimentary customer', #aka users-allow_comp
{ rightname=>'Delete customer', desc=>"Enable customer deletions. Be very careful! Deleting a customer will remove all traces that this customer ever existed! It should probably only be used when auditing a legacy database. Normally, you cancel all of a customer's packages if they cancel service." }, #aka. deletecustomers
'Bill customer now', #NEW
'Bulk send customer notices', #NEW
],
###
# customer package rights
###
'Customer package rights' => [
'View customer packages', #NEW
'Order customer package',
'One-time charge',
'Change customer package',
'Bulk change customer packages',
'Edit customer package dates',
'Customize customer package',
'Suspend customer package',
'Suspend customer package later',
'Unsuspend customer package',
'Cancel customer package immediately',
'Cancel customer package later',
'Delay suspension events',
'Add on-the-fly cancel reason', #NEW
'Add on-the-fly suspend reason', #NEW
'Edit customer package invoice details', #NEW
'Edit customer package comments', #NEW
],
###
# customer service rights
###
'Customer service rights' => [
'View customer services', #NEW
'Provision customer service',
'Recharge customer service', #NEW
'Unprovision customer service',
'Change customer service', #NEWNEW
'Edit usage', #NEW
'Edit home dir', #NEW
'Edit www config', #NEW
'Edit domain catchall', #NEW
'Edit domain nameservice', #NEW
'Manage domain registration',
{ rightname=>'View/link unlinked services', global=>1 }, #not agent-virtualizable without more work
],
###
# customer invoice/financial info rights
###
'Customer invoice / financial info rights' => [
'View invoices',
'Resend invoices', #NEWNEW
'Delete invoices', #new, but no need to phase in
'View customer tax exemptions', #yow
'Add customer tax adjustment', #new, but no need to phase in
'View customer batched payments', #NEW
'View customer pending payments', #NEW
'Edit customer pending payments', #NEW
'View customer billing events', #NEW
],
###
# customer payment rights
###
'Customer payment rights' => [
'Post payment',
'Post payment batch',
'Apply payment', #NEWNEW
{ rightname=>'Unapply payment', desc=>'Enable "unapplication" of unclosed payments from specific invoices.' }, #aka. unapplypayments
'Process payment',
{ rightname=>'Refund payment', desc=>'Enable refund of existing customer payments.' },
{ rightname=>'Delete payment', desc=>'Enable deletion of unclosed payments. Be very careful! Only delete payments that were data-entry errors, not adjustments.' }, #aka. deletepayments Optionally specify one or more comma-separated email addresses to be notified when a payment is deleted.
],
###
# customer credit rights
###
'Customer credit and refund rights' => [
'Post credit',
'Apply credit', #NEWNEW
{ rightname=>'Unapply credit', desc=>'Enable "unapplication" of unclosed credits.' }, #aka unapplycredits
{ rightname=>'Delete credit', desc=>'Enable deletion of unclosed credits. Be very careful! Only delete credits that were data-entry errors, not adjustments.' }, #aka. deletecredits Optionally specify one or more comma-separated email addresses to be notified when a credit is deleted.
{ rightname=>'Post refund', desc=>'Enable posting of check and cash refunds.' },
# { rightname=>'Process refund', desc=>'Enable processing of generic credit card/ACH refunds (i.e. not associated with a specific prior payment).' },
'Delete refund', #NEW
'Add on-the-fly credit reason', #NEW
],
###
# customer voiding rights..
###
'Customer void rights' => [
{ rightname=>'Credit card void', desc=>'Enable local-only voiding of echeck payments in addition to refunds against the payment gateway.' }, #aka. cc-void
{ rightname=>'Echeck void', desc=>'Enable local-only voiding of echeck payments in addition to refunds against the payment gateway.' }, #aka. echeck-void
'Regular void',
{ rightname=>'Unvoid', desc=>'Enable unvoiding of voided payments' }, #aka. unvoid
],
###
# note/attachment rights...
###
'Customer note and attachment rights' => [
'Add customer note', #NEW
'Edit customer note', #NEW
'Download attachment', #NEW
'Add attachment', #NEW
'Edit attachment', #NEW
'Delete attachment', #NEW
'View deleted attachments', #NEW
'Undelete attachment', #NEW
'Purge attachment', #NEW
],
###
# report/listing rights...
###
'Reporting/listing rights' => [
'List customers',
'List zip codes', #NEW
'List invoices',
'List packages',
'List services',
{ rightname=> 'List rating data', desc=>'Usage reports', global=>1 },
'Billing event reports',
'Receivables report',
'Financial reports',
],
###
# misc rights
###
'Miscellaneous rights' => [
{ rightname=>'Job queue', global=>1 },
{ rightname=>'Time queue', global=>1 },
{ rightname=>'Process batches', global=>1 },
{ rightname=>'Reprocess batches', global=>1 },
{ rightname=>'Redownload resolved batches', global=>1 },
{ rightname=>'Import', global=>1 }, #some of these are ag-virt'ed now? give em their own ACLs
{ rightname=>'Export', global=>1 },
{ rightname=> 'Edit rating data', desc=>'Delete CDRs', global=>1 },
#],
#
###
# misc misc rights
###
#'Database access rights' => [
{ rightname=>'Raw SQL', global=>1 }, #NEW
],
###
# setup/config rights
###
'Configuration rights' => [
'Edit advertising sources',
{ rightname=>'Edit global advertising sources', global=>1 },
'Edit package definitions',
{ rightname=>'Edit global package definitions', global=>1 },
'Edit billing events',
{ rightname=>'Edit global billing events', global=>1 },
{ rightname=>'Dialup configuration' },
{ rightname=>'Dialup global configuration', global=>1 },
{ rightname=>'Broadband configuration' },
{ rightname=>'Broadband global configuration', global=>1 },
{ rightname=>'Configuration', global=>1 }, #most of the rest of the configuraiton is not agent-virtualized
{ rightname=>'Configuration download', }, #description of how it affects
#search/elements/search.html
],
;
=head1 CLASS METHODS
=over 4
=item rights
Returns the full list of right names.
=cut
sub rights {
#my $class = shift;
map { ref($_) ? $_->{'rightname'} : $_ } map @{ $rights{$_} }, keys %rights;
}
=item default_superuser_rights
Most (but not all) right names.
=cut
sub default_superuser_rights {
my $class = shift;
my %omit = map { $_=>1 } (
'Delete customer',
'Delete invoices',
'Delete payment',
'Delete credit', #?
'Delete refund', #?
'Time queue',
'Redownload resolved batches',
'Raw SQL',
'Configuration download',
);
no warnings 'uninitialized';
grep { ! $omit{$_} } $class->rights;
}
=item rights_info
Returns a list of key-value pairs suitable for assigning to a hash. Keys are
category names and values are list references of rights. Each element of the
list reference scalar right name or a hashref with the following keys:
=over 4
=item rightname - Right name
=item desc - Extended right description
=item global - Global flag, indicates that this access right provides access to global data which is shared among all agents.
=back
=cut
sub rights_info {
%rights;
}
=back
=head1 BUGS
Damn those infernal six-legged creatures!
=head1 SEE ALSO
L<FS::access_right>, L<FS::access_group>, L<FS::access_user>
=cut
1;
|
