my $link = $cgi->param('popup') ? 'popup' : '';
+my $payby = $cgi->param('payby');
+
+my @rights = ();
+push @rights, 'Post refund' if $payby =~ /^(BILL|CASH|MCRD|MCHK)$/;
+push @rights, 'Post check refund' if $payby eq 'BILL';
+push @rights, 'Post cash refund ' if $payby eq 'CASH';
+push @rights, 'Refund payment' if $payby =~ /^(CARD|CHEK)$/;
+push @rights, 'Refund credit card payment' if $payby eq 'CARD';
+push @rights, 'Refund Echeck payment' if $payby eq 'CHEK';
+
+die "access denied"
+ unless $FS::CurrentUser::CurrentUser->access_right(\@rights);
+
my $error = '';
-if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) {
+if ( $payby =~ /^(CARD|CHEK)$/ ) {
my %options = ();
my $bop = $FS::payby::payby2bop{$1};
$cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/