X-Git-Url: http://git.freeside.biz/gitweb/?a=blobdiff_plain;f=httemplate%2Fedit%2Fprocess%2Fquick-cust_pkg.cgi;h=2aec344c57f1fdc57826195dcadd05b0554176e6;hb=ca292755ee3fc2027707b046352414e06ad45584;hp=66d02e307bc0b3aa04cf8fc4746a53101295a1cc;hpb=9509e5bfb7f9331303153cac24d7bfecbe2ea9f1;p=freeside.git

diff --git a/httemplate/edit/process/quick-cust_pkg.cgi b/httemplate/edit/process/quick-cust_pkg.cgi
index 66d02e307..2aec344c5 100644
--- a/httemplate/edit/process/quick-cust_pkg.cgi
+++ b/httemplate/edit/process/quick-cust_pkg.cgi
@@ -1,17 +1,6 @@
-%#untaint custnum
-%$cgi->param('custnum') =~ /^(\d+)$/
-%  or die 'illegal custnum '. $cgi->param('custnum');
-%my $custnum = $1;
-%$cgi->param('pkgpart') =~ /^(\d+)$/
-%  or die 'illegal pkgpart '. $cgi->param('pkgpart');
-%my $pkgpart = $1;
-%
-%my @cust_pkg = ();
-%my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string );
+<% $cgi->redirect(popurl(3). 'misc/order_pkg.html?'. $cgi->query_string ) %>
 %} else {
 %  my $frag = "cust_pkg". $cust_pkg[0]->pkgnum;
 <% header('Package ordered') %>
@@ -25,3 +14,20 @@
 
   </BODY></HTML>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Order customer package');
+
+#untaint custnum
+$cgi->param('custnum') =~ /^(\d+)$/
+  or die 'illegal custnum '. $cgi->param('custnum');
+my $custnum = $1;
+$cgi->param('pkgpart') =~ /^(\d+)$/
+  or die 'illegal pkgpart '. $cgi->param('pkgpart');
+my $pkgpart = $1;
+
+my @cust_pkg = ();
+my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
+
+</%init>