From 0930d22ffc440f80c1b222b2e750cadbabd9e8f6 Mon Sep 17 00:00:00 2001
From: ivan <ivan>
Date: Sun, 13 Jan 2008 21:35:54 +0000
Subject: [PATCH] ACLs

---
 httemplate/edit/REAL_cust_pkg.cgi                  |  12 +-
 httemplate/edit/access_user.html                   |   6 +
 httemplate/edit/agent.cgi                          |   6 +-
 httemplate/edit/agent_payment_gateway.html         |  37 +-
 httemplate/edit/agent_type.cgi                     |  39 +-
 httemplate/edit/bulk-cust_svc.html                 |  14 +-
 httemplate/edit/cust_bill_pay.cgi                  |  13 +-
 httemplate/edit/cust_credit.cgi                    |   9 +-
 httemplate/edit/cust_credit_bill.cgi               |   9 +-
 httemplate/edit/cust_main.cgi                      | 196 +++++----
 httemplate/edit/cust_main_county-expand.cgi        |   3 +
 httemplate/edit/cust_main_note.cgi                 |  19 +-
 httemplate/edit/cust_pay.cgi                       |   7 +-
 httemplate/edit/cust_pkg.cgi                       |  69 ++--
 httemplate/edit/cust_refund.cgi                    |  61 +--
 httemplate/edit/inventory_class.html               |   6 +
 httemplate/edit/part_bill_event.cgi                |  69 ++--
 httemplate/edit/part_export.cgi                    | 215 +++++-----
 httemplate/edit/part_pkg.cgi                       |  15 +-
 httemplate/edit/part_referral.html                 |   7 +
 httemplate/edit/part_svc.cgi                       |  71 ++--
 httemplate/edit/part_virtual_field.cgi             |  53 +--
 httemplate/edit/payment_gateway.html               |  46 +--
 httemplate/edit/pkg_class.html                     |   6 +
 httemplate/edit/prepay_credit.cgi                  |  75 ++--
 httemplate/edit/process/REAL_cust_pkg.cgi          |  57 +--
 httemplate/edit/process/access_user.html           |   6 +
 httemplate/edit/process/agent.cgi                  |  49 +--
 httemplate/edit/process/agent_payment_gateway.html |  53 +--
 httemplate/edit/process/agent_type.cgi             |  62 ++-
 httemplate/edit/process/bulk-cust_svc.cgi          |  11 +-
 httemplate/edit/process/cust_bill_pay.cgi          |  84 ++--
 httemplate/edit/process/cust_credit.cgi            |  73 ++--
 httemplate/edit/process/cust_credit_bill.cgi       |  86 ++--
 httemplate/edit/process/cust_main.cgi              |   3 +
 .../edit/process/cust_main_county-collapse.cgi     |   8 +
 .../edit/process/cust_main_county-expand.cgi       |   3 +
 httemplate/edit/process/cust_main_county.html      |   7 +
 httemplate/edit/process/cust_main_note.cgi         |  84 ++--
 httemplate/edit/process/cust_pay.cgi               |  61 ++-
 httemplate/edit/process/cust_pkg.cgi               |  15 +-
 httemplate/edit/process/cust_refund.cgi            |  73 ++--
 httemplate/edit/process/cust_svc.cgi               |  50 +--
 httemplate/edit/process/domain_record.cgi          |  54 ++-
 httemplate/edit/process/generic.cgi                | 140 ++++---
 httemplate/edit/process/inventory_class.html       |   6 +
 httemplate/edit/process/msgcat.cgi                 |  33 +-
 httemplate/edit/process/part_bill_event.cgi        | 173 ++++----
 httemplate/edit/process/part_export.cgi            |  71 ++--
 httemplate/edit/process/part_pkg.cgi               | 196 ++++-----
 httemplate/edit/process/part_referral.html         |   7 +
 httemplate/edit/process/part_svc.cgi               |  11 +-
 httemplate/edit/process/payment_gateway.html       |  59 +--
 httemplate/edit/process/pkg_class.html             |   6 +
 httemplate/edit/process/prepay_credit.cgi          |   8 +-
 httemplate/edit/process/quick-charge.cgi           |  83 ++--
 httemplate/edit/process/quick-cust_pkg.cgi         |  30 +-
 httemplate/edit/process/rate.cgi                   |  11 +-
 httemplate/edit/process/reason.html                |   6 +
 httemplate/edit/process/reason_type.html           |   6 +
 httemplate/edit/process/reg_code.cgi               |  64 ++-
 httemplate/edit/process/router.cgi                 |   8 +-
 httemplate/edit/process/svc_Common.html            |  15 +-
 httemplate/edit/process/svc_acct.cgi               | 117 +++---
 httemplate/edit/process/svc_acct_pop.cgi           |  49 +--
 httemplate/edit/process/svc_broadband.cgi          |  63 +--
 httemplate/edit/process/svc_domain.cgi             |  55 +--
 httemplate/edit/process/svc_external.cgi           |  51 +--
 httemplate/edit/process/svc_forward.cgi            |  51 +--
 httemplate/edit/process/svc_phone.html             |   6 +
 httemplate/edit/process/svc_www.cgi                |  65 +--
 httemplate/edit/quick-charge.html                  |   3 +
 httemplate/edit/rate.cgi                           |   1 -
 httemplate/edit/rate_region.cgi                    |   2 +-
 httemplate/edit/reason.html                        |   6 +
 httemplate/edit/reason_type.html                   |  17 +-
 httemplate/edit/reg_code.cgi                       |  29 +-
 httemplate/edit/router.cgi                         |  54 +--
 httemplate/edit/svc_Common.html                    |  15 +-
 httemplate/edit/svc_acct.cgi                       | 264 ++++++------
 httemplate/edit/svc_acct_pop.cgi                   | 105 +++--
 httemplate/edit/svc_broadband.cgi                  | 183 +++++----
 httemplate/edit/svc_domain.cgi                     | 132 +++---
 httemplate/edit/svc_external.cgi                   | 195 ++++-----
 httemplate/edit/svc_forward.cgi                    | 219 +++++-----
 httemplate/edit/svc_phone.cgi                      |   6 +
 httemplate/edit/svc_www.cgi                        | 455 +++++++++++----------
 87 files changed, 2614 insertions(+), 2364 deletions(-)

diff --git a/httemplate/edit/REAL_cust_pkg.cgi b/httemplate/edit/REAL_cust_pkg.cgi
index fe6984673..fea85456f 100755
--- a/httemplate/edit/REAL_cust_pkg.cgi
+++ b/httemplate/edit/REAL_cust_pkg.cgi
@@ -2,7 +2,6 @@
 
 %#, menubar(
 %#  "View this customer (#$custnum)" => popurl(2). "view/cust_main.cgi?$custnum",
-%#  'Main Menu' => popurl(2)
 %#));
 
 <LINK REL="stylesheet" TYPE="text/css" HREF="../elements/calendar-win2k-2.css" TITLE="win2k-2">
@@ -13,9 +12,12 @@
 <FORM NAME="formname" ACTION="process/REAL_cust_pkg.cgi" METHOD="POST">
 <INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
 
+% # raw error from below
 % if ( $error ) { 
   <FONT SIZE="+1" COLOR="#ff0000">Error: <% $error %></FONT>
 % } 
+% #or, regular error handler
+<% include('/elements/error.html') %>
 
 <% ntable("#cccccc",2) %>
 
@@ -122,16 +124,19 @@ my $format = "%m/%d/%Y %T %z (%Z)";
 </%once>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer package dates');
+
 my $error = '';
 my( $pkgnum, $cust_pkg );
 
 if ( $cgi->param('error') ) {
 
-  $error = $cgi->param('error');
   $pkgnum = $cgi->param('pkgnum');
-  if ( $error eq '_bill_areyousure' ) {
+  if ( $cgi->param('error') eq '_bill_areyousure' ) {
     if ( $cgi->param('bill') =~ /^([\s\d\/\:\-\(\w\)]*)$/ ) {
       my $bill = $1;
+      $cgi->param('error', '');
       $error = "You are attempting to set the next bill date to $bill, which is
                 in the past.  This will charge the customer for the interval
                 from $bill until now.  Are you sure you want to do this? ".
@@ -174,4 +179,3 @@ unless ( $part_pkg->is_prepaid ) {
 }
 
 </%init>
-
diff --git a/httemplate/edit/access_user.html b/httemplate/edit/access_user.html
index 065e60c4b..224d8d722 100644
--- a/httemplate/edit/access_user.html
+++ b/httemplate/edit/access_user.html
@@ -42,3 +42,9 @@
                    },
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/agent.cgi b/httemplate/edit/agent.cgi
index 46ab5c705..11bfc5932 100755
--- a/httemplate/edit/agent.cgi
+++ b/httemplate/edit/agent.cgi
@@ -1,5 +1,4 @@
 <% include("/elements/header.html","$action Agent", menubar(
-  'Main Menu' => $p,
   'View all agents' => $p. 'browse/agent.cgi',
 )) %>
 
@@ -77,6 +76,9 @@ Agent #<% $agent->agentnum ? $agent->agentnum : "(NEW)" %>
 
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
 my $agent;
 if ( $cgi->param('error') ) {
   $agent = new FS::agent ( {
@@ -94,5 +96,3 @@ my $action = $agent->agentnum ? 'Edit' : 'Add';
 my $conf = new FS::Conf;
 
 </%init>
-
-
diff --git a/httemplate/edit/agent_payment_gateway.html b/httemplate/edit/agent_payment_gateway.html
index 9692199ef..4a7cedf79 100644
--- a/httemplate/edit/agent_payment_gateway.html
+++ b/httemplate/edit/agent_payment_gateway.html
@@ -1,20 +1,4 @@
-%
-%
-%$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
-%my $agent = qsearchs('agent', { 'agentnum' => $1 } );
-%die "agentnum $1 not found" unless $agent;
-%
-%#my @agent_payment_gateway;
-%if ( $cgi->param('error') ) {
-%}
-%
-%my $action = 'Add';
-%
-%
-
-
 <% include("/elements/header.html","$action payment gateway override for ". $agent->agent,  menubar(
-  'Main Menu' => $p,
   #'View all payment gateways' => $p. 'browse/payment_gateway.html',
   'View all agents' => $p. 'browse/agent.html',
 )) %>
@@ -63,5 +47,22 @@ for <SELECT NAME="cardtype" MULTIPLE>
 
 <INPUT TYPE="submit" VALUE="Add gateway override">
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
+my $agent = qsearchs('agent', { 'agentnum' => $1 } );
+die "agentnum $1 not found" unless $agent;
+
+#my @agent_payment_gateway;
+if ( $cgi->param('error') ) {
+}
+
+my $action = 'Add';
+
+</%init>
diff --git a/httemplate/edit/agent_type.cgi b/httemplate/edit/agent_type.cgi
index bfef42fea..abf4bf89f 100755
--- a/httemplate/edit/agent_type.cgi
+++ b/httemplate/edit/agent_type.cgi
@@ -1,22 +1,4 @@
-%
-%
-%my($agent_type);
-%if ( $cgi->param('error') ) {
-%  $agent_type = new FS::agent_type ( {
-%    map { $_, scalar($cgi->param($_)) } fields('agent')
-%  } );
-%} elsif ( $cgi->keywords ) { #editing
-%  my( $query ) = $cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $agent_type=qsearchs('agent_type',{'typenum'=>$1});
-%} else { #adding
-%  $agent_type = new FS::agent_type {};
-%}
-%my $action = $agent_type->typenum ? 'Edit' : 'Add';
-%
-%
 <% include("/elements/header.html","$action Agent Type", menubar(
-  'Main Menu' => "$p",
   'View all agent types' => "${p}browse/agent_type.cgi",
 ))
 %>
@@ -52,3 +34,24 @@ Select which packages agents of this type may sell to customers<BR>
     </FORM>
 
 <% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my($agent_type);
+if ( $cgi->param('error') ) {
+  $agent_type = new FS::agent_type ( {
+    map { $_, scalar($cgi->param($_)) } fields('agent')
+  } );
+} elsif ( $cgi->keywords ) { #editing
+  my( $query ) = $cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $agent_type=qsearchs('agent_type',{'typenum'=>$1});
+} else { #adding
+  $agent_type = new FS::agent_type {};
+}
+my $action = $agent_type->typenum ? 'Edit' : 'Add';
+
+</%init>
diff --git a/httemplate/edit/bulk-cust_svc.html b/httemplate/edit/bulk-cust_svc.html
index f2efc3ff9..6f6e3f850 100644
--- a/httemplate/edit/bulk-cust_svc.html
+++ b/httemplate/edit/bulk-cust_svc.html
@@ -1,9 +1,4 @@
-<% include("/elements/header.html", 'Bulk customer service change',
-            menubar(
-                     'Main Menu' => $p,
-                   ),
-          )
-%>
+<% include('/elements/header.html', 'Bulk customer service change') %>
 
 <SCRIPT TYPE="text/javascript" SRC="../elements/overlibmws.js"></SCRIPT>
 <SCRIPT TYPE="text/javascript" SRC="../elements/overlibmws_iframe.js"></SCRIPT>
@@ -92,8 +87,11 @@ var confirm_change = '<P ALIGN="center"><B>Bulk customer service change - Are yo
 
 </FORM>
 
-</BODY>
-</HTML>
+<% include('/elements/footer.html') %>
 
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
 
+</%init>
diff --git a/httemplate/edit/cust_bill_pay.cgi b/httemplate/edit/cust_bill_pay.cgi
index 44e783eb7..28c14618f 100755
--- a/httemplate/edit/cust_bill_pay.cgi
+++ b/httemplate/edit/cust_bill_pay.cgi
@@ -1,4 +1,4 @@
-<% header("Apply Payment", '') %>
+<% include('/elements/header-popup.html', 'Apply Payment') %>
 
 <% include('/elements/error.html') %>
 
@@ -47,10 +47,15 @@ function changed(what) {
 <CENTER><INPUT TYPE="submit" VALUE="Apply"></CENTER>
 
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
 
 <%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply payment') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post payment'): #remove after 1.7.3
+
 my($paynum, $amount, $invnum);
 if ( $cgi->param('error') ) {
   $paynum = $cgi->param('paynum');
@@ -78,5 +83,5 @@ my @cust_bill = sort {    $a->_date  <=> $b->_date
                      }
                 grep { $_->owed != 0 }
                 qsearch('cust_bill', { 'custnum' => $cust_pay->custnum } );
-</%init>
 
+</%init>
diff --git a/httemplate/edit/cust_credit.cgi b/httemplate/edit/cust_credit.cgi
index 2ff09d00b..36109cf5d 100755
--- a/httemplate/edit/cust_credit.cgi
+++ b/httemplate/edit/cust_credit.cgi
@@ -48,12 +48,16 @@ Credit
 </FORM>
 </BODY>
 </HTML>
-
 <%once>
+
 my $conf = new FS::Conf;
-</%once>
 
+</%once>
 <%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post credit');
+
 my($custnum, $amount, $reason);
 if ( $cgi->param('error') ) {
   #$cust_credit = new FS::cust_credit ( {
@@ -76,4 +80,5 @@ my $_date = time;
 my $otaker = getotaker;
 
 my $p1 = popurl(1);
+
 </%init>
diff --git a/httemplate/edit/cust_credit_bill.cgi b/httemplate/edit/cust_credit_bill.cgi
index ee29f8e0c..43ba4fb7e 100755
--- a/httemplate/edit/cust_credit_bill.cgi
+++ b/httemplate/edit/cust_credit_bill.cgi
@@ -1,4 +1,4 @@
-<%  header("Apply Credit", '') %>
+<% include('/elements/header-popup.html', 'Apply Credit') %>
 
 <% include('/elements/error.html') %>
 
@@ -53,6 +53,11 @@ function changed(what) {
 </HTML>
 
 <%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply credit') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post credit'): #remove after 1.7.3
+
 my($crednum, $amount, $invnum);
 if ( $cgi->param('error') ) {
   #$cust_credit_bill = new FS::cust_credit_bill ( {
@@ -85,5 +90,5 @@ my @cust_bill = sort {    $a->_date  <=> $b->_date
                      }
                 grep { $_->owed != 0 }
                 qsearch('cust_bill', { 'custnum' => $cust_credit->custnum } );
-</%init>
 
+</%init>
diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi
index be9dd1bfb..3ba097028 100755
--- a/httemplate/edit/cust_main.cgi
+++ b/httemplate/edit/cust_main.cgi
@@ -1,110 +1,10 @@
-%
-%
-%  #for misplaced logic below
-%  #use FS::part_pkg;
-%
-%  #for false laziness below (now more properly lazy)
-%  #use FS::svc_acct_pop;
-%
-%  #for (other) false laziness below
-%  #use FS::agent;
-%  #use FS::type_pkgs;
-%
-%my $conf = new FS::Conf;
-%
-%#get record
-%
-%my $error = '';
-%my($custnum, $username, $password, $popnum, $cust_main, $saved_pkgpart, $saved_domsvc);
-%my(@invoicing_list);
-%my ($ss,$stateid,$payinfo);
-%my $same = '';
-%if ( $cgi->param('error') ) {
-%  $error = $cgi->param('error');
-%  $cust_main = new FS::cust_main ( {
-%    map { $_, scalar($cgi->param($_)) } fields('cust_main')
-%  } );
-%  $custnum = $cust_main->custnum;
-%  $saved_domsvc = $cgi->param('domsvc') || '';
-%  if ( $saved_domsvc =~ /^(\d+)$/ ) {
-%    $saved_domsvc = $1;
-%  } else {
-%    $saved_domsvc = '';
-%  }
-%  $saved_pkgpart = $cgi->param('pkgpart_svcpart') || '';
-%  if ( $saved_pkgpart =~ /^(\d+)_/ ) {
-%    $saved_pkgpart = $1;
-%  } else {
-%    $saved_pkgpart = '';
-%  }
-%  $username = $cgi->param('username');
-%  $password = $cgi->param('_password');
-%  $popnum = $cgi->param('popnum');
-%  @invoicing_list = split( /\s*,\s*/, $cgi->param('invoicing_list') );
-%  $same = $cgi->param('same');
-%  $cust_main->setfield('paid' => $cgi->param('paid')) if $cgi->param('paid');
-%  $ss = $cust_main->ss;           # don't mask an entered value on errors
-%  $stateid = $cust_main->stateid; # don't mask an entered value on errors
-%  $payinfo = $cust_main->payinfo; # don't mask an entered value on errors
-%} elsif ( $cgi->keywords ) { #editing
-%  my( $query ) = $cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $custnum=$1;
-%  $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } );
-%  if ( $cust_main->dbdef_table->column('paycvv')
-%       && length($cust_main->paycvv)             ) {
-%    my $paycvv = $cust_main->paycvv;
-%    $paycvv =~ s/./*/g;
-%    $cust_main->paycvv($paycvv);
-%  }
-%  $saved_pkgpart = 0;
-%  $saved_domsvc = 0;
-%  $username = '';
-%  $password = '';
-%  $popnum = 0;
-%  @invoicing_list = $cust_main->invoicing_list;
-%  $ss = $cust_main->masked('ss');
-%  $stateid = $cust_main->masked('stateid');
-%  $payinfo = $cust_main->paymask;
-%} else {
-%  $custnum='';
-%  $cust_main = new FS::cust_main ( {} );
-%  $cust_main->otaker( &getotaker );
-%  $cust_main->referral_custnum( $cgi->param('referral_custnum') );
-%  $saved_pkgpart = 0;
-%  $saved_domsvc = 0;
-%  $username = '';
-%  $password = '';
-%  $popnum = 0;
-%  @invoicing_list = ();
-%  push @invoicing_list, 'POST'
-%    unless $conf->exists('disablepostalinvoicedefault');
-%  $ss = '';
-%  $stateid = '';
-%  $payinfo = '';
-%}
-%$cgi->delete_all();
-%
-%my $action = $custnum ? 'Edit' : 'Add';
-%$action .= ": ". $cust_main->name if $custnum;
-%
-%my $r = qq!<font color="#ff0000">*</font>&nbsp;!;
-%
-%
-
-
-<!-- top -->
-
 <% include('/elements/header.html',
       "Customer $action",
       '',
       ' onUnload="myclose()"'
 ) %>
-% if ( $error ) { 
-
-<FONT SIZE="+1" COLOR="#ff0000">Error: <% $error %></FONT><BR><BR>
-% } 
 
+<% include('/elements.error.html') %>
 
 <FORM NAME="topform" STYLE="margin-bottom: 0">
 <INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
@@ -544,3 +444,97 @@ function copyelement(from, to) {
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+
+#for misplaced logic below
+#use FS::part_pkg;
+
+#for false laziness below (now more properly lazy)
+#use FS::svc_acct_pop;
+
+#for (other) false laziness below
+#use FS::agent;
+#use FS::type_pkgs;
+
+my $conf = new FS::Conf;
+
+#get record
+
+my($custnum, $username, $password, $popnum, $cust_main, $saved_pkgpart, $saved_domsvc);
+my(@invoicing_list);
+my ($ss,$stateid,$payinfo);
+my $same = '';
+if ( $cgi->param('error') ) {
+  $cust_main = new FS::cust_main ( {
+    map { $_, scalar($cgi->param($_)) } fields('cust_main')
+  } );
+  $custnum = $cust_main->custnum;
+  $saved_domsvc = $cgi->param('domsvc') || '';
+  if ( $saved_domsvc =~ /^(\d+)$/ ) {
+    $saved_domsvc = $1;
+  } else {
+    $saved_domsvc = '';
+  }
+  $saved_pkgpart = $cgi->param('pkgpart_svcpart') || '';
+  if ( $saved_pkgpart =~ /^(\d+)_/ ) {
+    $saved_pkgpart = $1;
+  } else {
+    $saved_pkgpart = '';
+  }
+  $username = $cgi->param('username');
+  $password = $cgi->param('_password');
+  $popnum = $cgi->param('popnum');
+  @invoicing_list = split( /\s*,\s*/, $cgi->param('invoicing_list') );
+  $same = $cgi->param('same');
+  $cust_main->setfield('paid' => $cgi->param('paid')) if $cgi->param('paid');
+  $ss = $cust_main->ss;           # don't mask an entered value on errors
+  $stateid = $cust_main->stateid; # don't mask an entered value on errors
+  $payinfo = $cust_main->payinfo; # don't mask an entered value on errors
+} elsif ( $cgi->keywords ) { #editing
+  my( $query ) = $cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $custnum=$1;
+  $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } );
+  if ( $cust_main->dbdef_table->column('paycvv')
+       && length($cust_main->paycvv)             ) {
+    my $paycvv = $cust_main->paycvv;
+    $paycvv =~ s/./*/g;
+    $cust_main->paycvv($paycvv);
+  }
+  $saved_pkgpart = 0;
+  $saved_domsvc = 0;
+  $username = '';
+  $password = '';
+  $popnum = 0;
+  @invoicing_list = $cust_main->invoicing_list;
+  $ss = $cust_main->masked('ss');
+  $stateid = $cust_main->masked('stateid');
+  $payinfo = $cust_main->paymask;
+} else {
+  $custnum='';
+  $cust_main = new FS::cust_main ( {} );
+  $cust_main->otaker( &getotaker );
+  $cust_main->referral_custnum( $cgi->param('referral_custnum') );
+  $saved_pkgpart = 0;
+  $saved_domsvc = 0;
+  $username = '';
+  $password = '';
+  $popnum = 0;
+  @invoicing_list = ();
+  push @invoicing_list, 'POST'
+    unless $conf->exists('disablepostalinvoicedefault');
+  $ss = '';
+  $stateid = '';
+  $payinfo = '';
+}
+$cgi->delete_all();
+
+my $action = $custnum ? 'Edit' : 'Add';
+$action .= ": ". $cust_main->name if $custnum;
+
+my $r = qq!<font color="#ff0000">*</font>&nbsp;!;
+
+</%init>
diff --git a/httemplate/edit/cust_main_county-expand.cgi b/httemplate/edit/cust_main_county-expand.cgi
index abf8e27f2..22e823021 100755
--- a/httemplate/edit/cust_main_county-expand.cgi
+++ b/httemplate/edit/cust_main_county-expand.cgi
@@ -18,6 +18,9 @@
 
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
 my($taxnum, $expansion, $taxclass);
 my($query) = $cgi->keywords;
 if ( $cgi->param('error') ) {
diff --git a/httemplate/edit/cust_main_note.cgi b/httemplate/edit/cust_main_note.cgi
index 58ea779a2..6c6a1a9a0 100755
--- a/httemplate/edit/cust_main_note.cgi
+++ b/httemplate/edit/cust_main_note.cgi
@@ -20,13 +20,12 @@
 </HTML>
 
 <%init>
-my($custnum, $comment, $notenum, $action); 
-$comment = '';
 
+my $comment;
+my $notenum = '';
 if ( $cgi->param('error') ) {
   $comment     = $cgi->param('comment');
-}elsif ($cgi->param('notenum')) {
-  $cgi->param('notenum') =~ /^(\d+)$/;
+} elsif ( $cgi->param('notenum') =~ /^(\d+)$/ ) {
   $notenum = $1;
   die "illegal query ". $cgi->keywords unless $notenum;
   my $note = qsearchs('cust_main_note', { 'notenum' => $notenum });
@@ -34,15 +33,13 @@ if ( $cgi->param('error') ) {
   $comment = $note->comments;
 }
 
-$cgi->param('notenum') =~ /^(\d+)$/;
-$notenum = $1;
+$cgi->param('custnum') =~ /^(\d+)$/ or die "illeagl custnum";
+my $custnum = $1;
 
-$cgi->param('custnum') =~ /^(\d+)$/;
-$custnum     = $1;
+my $action = $notenum ? 'Edit' : 'Add';
 
-die "illegal query ". $cgi->keywords unless $custnum;
-
-$action = $notenum ? 'Edit' : 'Add';
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right("$action customer note");
 
 </%init>
 
diff --git a/httemplate/edit/cust_pay.cgi b/httemplate/edit/cust_pay.cgi
index aaa200fc4..92abb7be8 100755
--- a/httemplate/edit/cust_pay.cgi
+++ b/httemplate/edit/cust_pay.cgi
@@ -86,6 +86,7 @@ Payment
 </HTML>
 
 <%once>
+
 my $conf = new FS::Conf;
 
 my %payby = (
@@ -96,9 +97,13 @@ my %payby = (
 );
 
 my $money_char = $conf->config('money_char') || '$';
-</%once>
 
+</%once>
 <%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post payment');
+
 my($link, $linknum, $paid, $payby, $payinfo, $_date); 
 if ( $cgi->param('error') ) {
   $link     = $cgi->param('link');
diff --git a/httemplate/edit/cust_pkg.cgi b/httemplate/edit/cust_pkg.cgi
index 065136c55..ecc21195d 100755
--- a/httemplate/edit/cust_pkg.cgi
+++ b/httemplate/edit/cust_pkg.cgi
@@ -1,35 +1,3 @@
-%
-%
-%my %pkg = ();
-%my %comment = ();
-%my %all_pkg = ();
-%my %all_comment = ();
-%#foreach (qsearch('part_pkg', { 'disabled' => '' })) {
-%#  $pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
-%#  $comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
-%#}
-%foreach (qsearch('part_pkg', {} )) {
-%  $all_pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
-%  $all_comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
-%  next if $_->disabled;
-%  $pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
-%  $comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
-%}
-%
-%my($custnum, %remove_pkg);
-%if ( $cgi->param('error') ) {
-%  $custnum = $cgi->param('custnum');
-%  %remove_pkg = map { $_ => 1 } $cgi->param('remove_pkg');
-%} else {
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $custnum = $1;
-%  %remove_pkg = ();
-%}
-%
-%my $p1 = popurl(1);
-%
-%
 <% include('/elements/header.html', "Add/Edit Packages", '') %>
 
 <% include('/elements/error.html') %>
@@ -147,3 +115,40 @@ Order new packages
 </FORM>
 
 <% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Bulk change customer packages');
+
+my %pkg = ();
+my %comment = ();
+my %all_pkg = ();
+my %all_comment = ();
+#foreach (qsearch('part_pkg', { 'disabled' => '' })) {
+#  $pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
+#  $comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
+#}
+foreach (qsearch('part_pkg', {} )) {
+  $all_pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
+  $all_comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
+  next if $_->disabled;
+  $pkg{ $_ -> getfield('pkgpart') } = $_->getfield('pkg');
+  $comment{ $_ -> getfield('pkgpart') } = $_->getfield('comment');
+}
+
+my($custnum, %remove_pkg);
+if ( $cgi->param('error') ) {
+  $custnum = $cgi->param('custnum');
+  %remove_pkg = map { $_ => 1 } $cgi->param('remove_pkg');
+} else {
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $custnum = $1;
+  %remove_pkg = ();
+}
+
+my $p1 = popurl(1);
+
+</%init>
+
diff --git a/httemplate/edit/cust_refund.cgi b/httemplate/edit/cust_refund.cgi
index b260949f0..3333f5d8c 100755
--- a/httemplate/edit/cust_refund.cgi
+++ b/httemplate/edit/cust_refund.cgi
@@ -1,33 +1,3 @@
-%
-%
-%my $conf = new FS::Conf;
-%my $custnum = $cgi->param('custnum');
-%my $refund  = $cgi->param('refund');
-%my $payby   = $cgi->param('payby');
-%my $reason  = $cgi->param('reason');
-%
-%my( $paynum, $cust_pay ) = ( '', '' );
-%if ( $cgi->param('paynum') =~ /^(\d+)$/ ) {
-%  $paynum = $1;
-%  $cust_pay = qsearchs('cust_pay', { paynum=>$paynum } )
-%    or die "unknown payment # $paynum";
-%  $refund ||= $cust_pay->unrefunded;
-%  if ( $custnum ) {
-%    die "payment # $paynum is not for specified customer # $custnum"
-%      unless $custnum == $cust_pay->custnum;
-%  } else {
-%    $custnum = $cust_pay->custnum;
-%  }
-%}
-%die "no custnum or paynum specified!" unless $custnum;
-%
-%my $_date = time;
-%
-%my $p1 = popurl(1);
-%
-%
-
-
 <% include('/elements/header.html', 'Refund '. ucfirst(lc($payby)). ' payment', '') %>
 
 <% include('/elements/error.html') %>
@@ -138,3 +108,34 @@
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Refund payment');
+
+my $conf = new FS::Conf;
+my $custnum = $cgi->param('custnum');
+my $refund  = $cgi->param('refund');
+my $payby   = $cgi->param('payby');
+my $reason  = $cgi->param('reason');
+
+my( $paynum, $cust_pay ) = ( '', '' );
+if ( $cgi->param('paynum') =~ /^(\d+)$/ ) {
+  $paynum = $1;
+  $cust_pay = qsearchs('cust_pay', { paynum=>$paynum } )
+    or die "unknown payment # $paynum";
+  $refund ||= $cust_pay->unrefunded;
+  if ( $custnum ) {
+    die "payment # $paynum is not for specified customer # $custnum"
+      unless $custnum == $cust_pay->custnum;
+  } else {
+    $custnum = $cust_pay->custnum;
+  }
+}
+die "no custnum or paynum specified!" unless $custnum;
+
+my $_date = time;
+
+my $p1 = popurl(1);
+
+</%init>
diff --git a/httemplate/edit/inventory_class.html b/httemplate/edit/inventory_class.html
index beefcd580..3ab47fe28 100644
--- a/httemplate/edit/inventory_class.html
+++ b/httemplate/edit/inventory_class.html
@@ -8,3 +8,9 @@
                  'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/part_bill_event.cgi b/httemplate/edit/part_bill_event.cgi
index bb7aea49b..c7f452dc3 100755
--- a/httemplate/edit/part_bill_event.cgi
+++ b/httemplate/edit/part_bill_event.cgi
@@ -1,40 +1,6 @@
-<!--mason kludge-->
-%
-%
-%if ( $cgi->param('eventpart') && $cgi->param('eventpart') =~ /^(\d+)$/ ) {
-%  $cgi->param('eventpart', $1);
-%} else {
-%  $cgi->param('eventpart', '');
-%}
-%
-%my ($creason, $newcreasonT, $newcreason);
-%my ($sreason, $newsreasonT, $newsreason);
-%
-%
-%my ($query) = $cgi->keywords;
-%my $action = '';
-%my $part_bill_event = '';
-%my $currentreasonclass = '';
-%if ( $cgi->param('error') ) {
-%  $part_bill_event = new FS::part_bill_event ( {
-%    map { $_, scalar($cgi->param($_)) } fields('part_bill_event')
-%  } );
-%}
-%if ( $query && $query =~ /^(\d+)$/ ) {
-%  $part_bill_event ||= qsearchs('part_bill_event',{'eventpart'=>$1});
-%} else {
-%  $part_bill_event ||= new FS::part_bill_event {};
-%}
-%$action ||= $part_bill_event->eventpart ? 'Edit' : 'Add';
-%my $hashref = $part_bill_event->hashref;
-%
-%
-
-
 <% include('/elements/header.html',
       "$action Invoice Event Definition",
       menubar(
-        'Main Menu' => popurl(2),
         'View all invoice events' => popurl(2). 'browse/part_bill_event.cgi',
       )
     )
@@ -536,7 +502,38 @@ Invoice Event #<% $hashref->{eventpart} ? $hashref->{eventpart} : "(NEW)" %>
 
 
     </FORM>
-  </BODY>
-</HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+if ( $cgi->param('eventpart') && $cgi->param('eventpart') =~ /^(\d+)$/ ) {
+  $cgi->param('eventpart', $1);
+} else {
+  $cgi->param('eventpart', '');
+}
+
+my ($creason, $newcreasonT, $newcreason);
+my ($sreason, $newsreasonT, $newsreason);
+
+my ($query) = $cgi->keywords;
+my $action = '';
+my $part_bill_event = '';
+my $currentreasonclass = '';
+if ( $cgi->param('error') ) {
+  $part_bill_event = new FS::part_bill_event ( {
+    map { $_, scalar($cgi->param($_)) } fields('part_bill_event')
+  } );
+}
+if ( $query && $query =~ /^(\d+)$/ ) {
+  $part_bill_event ||= qsearchs('part_bill_event',{'eventpart'=>$1});
+} else {
+  $part_bill_event ||= new FS::part_bill_event {};
+}
+$action ||= $part_bill_event->eventpart ? 'Edit' : 'Add';
+my $hashref = $part_bill_event->hashref;
 
+</%init>
diff --git a/httemplate/edit/part_export.cgi b/httemplate/edit/part_export.cgi
index 72a07134b..d57979751 100644
--- a/httemplate/edit/part_export.cgi
+++ b/httemplate/edit/part_export.cgi
@@ -1,110 +1,4 @@
-<!-- mason kludge -->
-%
-%
-%#if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
-%#  $cgi->param('clone', $1);
-%#} else {
-%#  $cgi->param('clone', '');
-%#}
-%
-%my($query) = $cgi->keywords;
-%my $action = '';
-%my $part_export = '';
-%if ( $cgi->param('error') ) {
-%  $part_export = new FS::part_export ( {
-%    map { $_, scalar($cgi->param($_)) } fields('part_export')
-%  } );
-%} elsif ( $query =~ /^(\d+)$/ ) {
-%  $part_export = qsearchs('part_export', { 'exportnum' => $1 } );
-%} else {
-%  $part_export = new FS::part_export;
-%}
-%$action ||= $part_export->exportnum ? 'Edit' : 'Add';
-%
-%#my $exports = FS::part_export::export_info($svcdb);
-%my $exports = FS::part_export::export_info();
-%
-%my %layers = map { $_ => "$_ - ". $exports->{$_}{desc} } keys %$exports;
-%$layers{''}='';
-%
-%my $widget = new HTML::Widgets::SelectLayers(
-%  'selected_layer' => $part_export->exporttype,
-%  'options'        => \%layers,
-%  'form_name'      => 'dummy',
-%  'form_action'    => 'process/part_export.cgi',
-%  'form_text'      => [qw( exportnum machine )],
-%#  'form_checkbox'  => [qw()],
-%  'html_between'    => "</TD></TR></TABLE>\n",
-%  'layer_callback'  => sub {
-%    my $layer = shift;
-%    my $html = qq!<INPUT TYPE="hidden" NAME="exporttype" VALUE="$layer">!.
-%               ntable("#cccccc",2);
-%
-%    $html .= '<TR><TD ALIGN="right">Description</TD><TD BGCOLOR=#ffffff>'.
-%             $exports->{$layer}{notes}. '</TD></TR>'
-%      if $layer;
-%
-%    foreach my $option ( keys %{$exports->{$layer}{options}} ) {
-%      my $optinfo = $exports->{$layer}{options}{$option};
-%      die "Retreived non-ref export info option from $layer export: $optinfo"
-%        unless ref($optinfo);
-%      my $label = $optinfo->{label};
-%      my $type = defined($optinfo->{type}) ? $optinfo->{type} : 'text';
-%      my $value = $cgi->param($option)
-%                 || ( $part_export->exportnum && $part_export->option($option) )
-%                 || ( (exists $optinfo->{default} && !$part_export->exportnum)
-%                      ? $optinfo->{default}
-%                      : ''
-%                    );
-%      $html .= qq!<TR><TD ALIGN="right">$label</TD><TD>!;
-%      if ( $type eq 'select' ) {
-%        $html .= qq!<SELECT NAME="$option">!;
-%        foreach my $select_option ( @{$optinfo->{options}} ) {
-%          #if ( ref($select_option) ) {
-%          #} else {
-%            my $selected = $select_option eq $value ? ' SELECTED' : '';
-%            $html .= qq!<OPTION VALUE="$select_option"$selected>!.
-%                     qq!$select_option</OPTION>!;
-%          #}
-%        }
-%        $html .= '</SELECT>';
-%      } elsif ( $type eq 'textarea' ) {
-%        $html .= qq!<TEXTAREA NAME="$option" COLS=80 ROWS=8 WRAP="virtual">!.
-%                 encode_entities($value). '</TEXTAREA>';
-%      } elsif ( $type eq 'text' ) {
-%        $html .= qq!<INPUT TYPE="text" NAME="$option" VALUE="!.
-%                 encode_entities($value). '" SIZE=64>';
-%      } elsif ( $type eq 'checkbox' ) {
-%        $html .= qq!<INPUT TYPE="checkbox" NAME="$option" VALUE="1"!;
-%        $html .= ' CHECKED' if $value;
-%        $html .= '>';
-%      } else {
-%        $html .= "unknown type $type";
-%      }
-%      $html .= '</TD></TR>';
-%    }
-%    $html .= '</TABLE>';
-%
-%    $html .= '<INPUT TYPE="hidden" NAME="options" VALUE="'.
-%             join(',', keys %{$exports->{$layer}{options}} ). '">';
-%
-%    $html .= '<INPUT TYPE="hidden" NAME="nodomain" VALUE="'.
-%             $exports->{$layer}{nodomain}. '">';
-%
-%    $html .= '<INPUT TYPE="submit" VALUE="'.
-%             ( $part_export->exportnum ? "Apply changes" : "Add export" ).
-%             '">';
-%
-%    $html;
-%  },
-%);
-%
-%
-
-<% include("/elements/header.html","$action Export", menubar(
-  'Main Menu' => popurl(2),
-), ' onLoad="visualize()"')
-%>
+<% include('/elements/header.html', "$action Export", '', ' onLoad="visualize()"') %>
 
 <% include('/elements/error.html') %>
 
@@ -121,6 +15,109 @@
 <TR>
   <TD ALIGN="right">Export</TD>
   <TD><% $widget->html %>
-</BODY>
-</HTML>
 
+<% include('/elements/footer.html') %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+#if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
+#  $cgi->param('clone', $1);
+#} else {
+#  $cgi->param('clone', '');
+#}
+
+my($query) = $cgi->keywords;
+my $action = '';
+my $part_export = '';
+if ( $cgi->param('error') ) {
+  $part_export = new FS::part_export ( {
+    map { $_, scalar($cgi->param($_)) } fields('part_export')
+  } );
+} elsif ( $query =~ /^(\d+)$/ ) {
+  $part_export = qsearchs('part_export', { 'exportnum' => $1 } );
+} else {
+  $part_export = new FS::part_export;
+}
+$action ||= $part_export->exportnum ? 'Edit' : 'Add';
+
+#my $exports = FS::part_export::export_info($svcdb);
+my $exports = FS::part_export::export_info();
+
+my %layers = map { $_ => "$_ - ". $exports->{$_}{desc} } keys %$exports;
+$layers{''}='';
+
+my $widget = new HTML::Widgets::SelectLayers(
+  'selected_layer' => $part_export->exporttype,
+  'options'        => \%layers,
+  'form_name'      => 'dummy',
+  'form_action'    => 'process/part_export.cgi',
+  'form_text'      => [qw( exportnum machine )],
+#  'form_checkbox'  => [qw()],
+  'html_between'    => "</TD></TR></TABLE>\n",
+  'layer_callback'  => sub {
+    my $layer = shift;
+    my $html = qq!<INPUT TYPE="hidden" NAME="exporttype" VALUE="$layer">!.
+               ntable("#cccccc",2);
+
+    $html .= '<TR><TD ALIGN="right">Description</TD><TD BGCOLOR=#ffffff>'.
+             $exports->{$layer}{notes}. '</TD></TR>'
+      if $layer;
+
+    foreach my $option ( keys %{$exports->{$layer}{options}} ) {
+      my $optinfo = $exports->{$layer}{options}{$option};
+      die "Retreived non-ref export info option from $layer export: $optinfo"
+        unless ref($optinfo);
+      my $label = $optinfo->{label};
+      my $type = defined($optinfo->{type}) ? $optinfo->{type} : 'text';
+      my $value = $cgi->param($option)
+                 || ( $part_export->exportnum && $part_export->option($option) )
+                 || ( (exists $optinfo->{default} && !$part_export->exportnum)
+                      ? $optinfo->{default}
+                      : ''
+                    );
+      $html .= qq!<TR><TD ALIGN="right">$label</TD><TD>!;
+      if ( $type eq 'select' ) {
+        $html .= qq!<SELECT NAME="$option">!;
+        foreach my $select_option ( @{$optinfo->{options}} ) {
+          #if ( ref($select_option) ) {
+          #} else {
+            my $selected = $select_option eq $value ? ' SELECTED' : '';
+            $html .= qq!<OPTION VALUE="$select_option"$selected>!.
+                     qq!$select_option</OPTION>!;
+          #}
+        }
+        $html .= '</SELECT>';
+      } elsif ( $type eq 'textarea' ) {
+        $html .= qq!<TEXTAREA NAME="$option" COLS=80 ROWS=8 WRAP="virtual">!.
+                 encode_entities($value). '</TEXTAREA>';
+      } elsif ( $type eq 'text' ) {
+        $html .= qq!<INPUT TYPE="text" NAME="$option" VALUE="!.
+                 encode_entities($value). '" SIZE=64>';
+      } elsif ( $type eq 'checkbox' ) {
+        $html .= qq!<INPUT TYPE="checkbox" NAME="$option" VALUE="1"!;
+        $html .= ' CHECKED' if $value;
+        $html .= '>';
+      } else {
+        $html .= "unknown type $type";
+      }
+      $html .= '</TD></TR>';
+    }
+    $html .= '</TABLE>';
+
+    $html .= '<INPUT TYPE="hidden" NAME="options" VALUE="'.
+             join(',', keys %{$exports->{$layer}{options}} ). '">';
+
+    $html .= '<INPUT TYPE="hidden" NAME="nodomain" VALUE="'.
+             $exports->{$layer}{nodomain}. '">';
+
+    $html .= '<INPUT TYPE="submit" VALUE="'.
+             ( $part_export->exportnum ? "Apply changes" : "Add export" ).
+             '">';
+
+    $html;
+  },
+);
+
+</%init>
diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi
index a337d2272..82d622610 100755
--- a/httemplate/edit/part_pkg.cgi
+++ b/httemplate/edit/part_pkg.cgi
@@ -1,5 +1,4 @@
-<% include("/elements/header.html","$action Package Definition", menubar(
-  'Main Menu' => popurl(2),
+<% include('/elements/header.html', "$action Package Definition", menubar(
   'View all packages' => popurl(2). 'browse/part_pkg.cgi',
 )) %>
 % #), ' onLoad="visualize()"'); 
@@ -360,10 +359,18 @@ Line-item revenue recognition
 
 
 <BR><BR>Price plan <% $widget->html %>
-  </BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
 <%init>
 
+#1.7
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+#1.9
+#die "access denied"
+#  unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions')
+#      || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions');
+
 if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
   $cgi->param('clone', $1);
 } else {
diff --git a/httemplate/edit/part_referral.html b/httemplate/edit/part_referral.html
index f4572c067..daf8773f0 100755
--- a/httemplate/edit/part_referral.html
+++ b/httemplate/edit/part_referral.html
@@ -10,3 +10,10 @@
                 'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit advertising sources')
+      || $FS::CurrentUser::CurrentUser->access_right('Edit global advertising sources');
+
+</%init>
diff --git a/httemplate/edit/part_svc.cgi b/httemplate/edit/part_svc.cgi
index 9432839e7..4b8a24080 100755
--- a/httemplate/edit/part_svc.cgi
+++ b/httemplate/edit/part_svc.cgi
@@ -1,34 +1,7 @@
-%
-%my $part_svc;
-%my $clone = '';
-%if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {#clone
-%  #$cgi->param('clone') =~ /^(\d+)$/ or die "malformed query: $query";
-%  $part_svc = qsearchs('part_svc', { 'svcpart'=>$1 } )
-%    or die "unknown svcpart: $1";
-%  $clone = $part_svc->svcpart;
-%  $part_svc->svcpart('');
-%} elsif ( $cgi->keywords ) { #edit
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "malformed query: $query";
-%  $part_svc=qsearchs('part_svc', { 'svcpart'=>$1 } )
-%    or die "unknown svcpart: $1";
-%} else { #adding
-%  $part_svc = new FS::part_svc {};
-%}
-%
-%my $action = $part_svc->svcpart ? 'Edit' : 'Add';
-%my $hashref = $part_svc->hashref;
-%#   my $p_svcdb = $part_svc->svcdb || 'svc_acct';
-%
-%
-%           #" onLoad=\"visualize()\""
-%
-
-<% include("/elements/header.html","$action Service Definition",
-           menubar( 'Main Menu'         => $p,
-                    'View all service definitions' => "${p}browse/part_svc.cgi"
-                  ),
-           )
+<% include('/elements/header.html', "$action Service Definition",
+           menubar('View all service definitions' => "${p}browse/part_svc.cgi"),
+           #" onLoad=\"visualize()\""
+          )
 %>
 
 <FORM NAME="dummy">
@@ -350,6 +323,38 @@ that field.
 %
 
 Table <% $widget->html %>
-  </BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $part_svc;
+my $clone = '';
+if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {#clone
+  #$cgi->param('clone') =~ /^(\d+)$/ or die "malformed query: $query";
+  $part_svc = qsearchs('part_svc', { 'svcpart'=>$1 } )
+    or die "unknown svcpart: $1";
+  $clone = $part_svc->svcpart;
+  $part_svc->svcpart('');
+} elsif ( $cgi->keywords ) { #edit
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "malformed query: $query";
+  $part_svc=qsearchs('part_svc', { 'svcpart'=>$1 } )
+    or die "unknown svcpart: $1";
+} else { #adding
+  $part_svc = new FS::part_svc {};
+}
+
+my $action = $part_svc->svcpart ? 'Edit' : 'Add';
+my $hashref = $part_svc->hashref;
+#   my $p_svcdb = $part_svc->svcdb || 'svc_acct';
+
+
+
+</%init>
+
+
 
diff --git a/httemplate/edit/part_virtual_field.cgi b/httemplate/edit/part_virtual_field.cgi
index f7f20cfd7..04ba9b0c0 100644
--- a/httemplate/edit/part_virtual_field.cgi
+++ b/httemplate/edit/part_virtual_field.cgi
@@ -1,27 +1,3 @@
-%
-%my ($vfieldpart, $part_virtual_field);
-%
-%if ( $cgi->param('error') ) {
-%  $part_virtual_field = new FS::part_virtual_field ( {
-%    map { $_, scalar($cgi->param($_)) } fields('part_virtual_field')});
-%  $vfieldpart = $part_virtual_field->vfieldpart;
-%} else {
-%  my($query) = $cgi->keywords;
-%  if ( $query =~ /^(\d+)$/ ) { #editing
-%    $vfieldpart=$1;
-%    $part_virtual_field=qsearchs('part_virtual_field',
-%        {'vfieldpart' => $vfieldpart})
-%      or die "Unknown vfieldpart!";
-%  
-%  } else { #adding
-%    $part_virtual_field = new FS::part_virtual_field({});
-%  }
-%}
-%my $action = $part_virtual_field->vfieldpart ? 'Edit' : 'Add';
-%
-%my $p1 = popurl(1);
-%
-%
 <% include('/elements/header.html', "$action Virtual Field Definition") %>
 
 <% include('/elements/error.html') %>
@@ -97,3 +73,32 @@ Field #<B><%$vfieldpart or "(NEW)"%></B><BR><BR>
 <I>list_source</I> mean, <B>LEAVE THEM BLANK</B>.  We mean it.</FONT>
 
 <% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my ($vfieldpart, $part_virtual_field);
+
+if ( $cgi->param('error') ) {
+  $part_virtual_field = new FS::part_virtual_field ( {
+    map { $_, scalar($cgi->param($_)) } fields('part_virtual_field')});
+  $vfieldpart = $part_virtual_field->vfieldpart;
+} else {
+  my($query) = $cgi->keywords;
+  if ( $query =~ /^(\d+)$/ ) { #editing
+    $vfieldpart=$1;
+    $part_virtual_field=qsearchs('part_virtual_field',
+        {'vfieldpart' => $vfieldpart})
+      or die "Unknown vfieldpart!";
+  
+  } else { #adding
+    $part_virtual_field = new FS::part_virtual_field({});
+  }
+}
+my $action = $part_virtual_field->vfieldpart ? 'Edit' : 'Add';
+
+my $p1 = popurl(1);
+
+</%init>
diff --git a/httemplate/edit/payment_gateway.html b/httemplate/edit/payment_gateway.html
index 84d453cdd..e3893cf49 100644
--- a/httemplate/edit/payment_gateway.html
+++ b/httemplate/edit/payment_gateway.html
@@ -1,25 +1,4 @@
-%
-%
-%my $payment_gateway;
-%if ( $cgi->param('error') ) {
-%  $payment_gateway = new FS::payment_gateway ( {
-%    map { $_, scalar($cgi->param($_)) } fields('payment_gateway')
-%  } );
-%} elsif ( $cgi->keywords ) {
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $payment_gateway = qsearchs( 'payment_gateway', { 'gatewaynum' => $1 } );
-%} else { #adding
-%  $payment_gateway = new FS::payment_gateway {};
-%}
-%my $action = $payment_gateway->gatewaynum ? 'Edit' : 'Add';
-%#my $hashref = $payment_gateway->hashref;
-%
-%
-
-
 <% include("/elements/header.html","$action Payment gateway", menubar(
-  'Main Menu' => $p,
   'View all payment gateways' => $p. 'browse/payment_gateway.html',
 )) %>
 
@@ -127,6 +106,27 @@ Gateway #<% $payment_gateway->gatewaynum || "(NEW)" %>
 
 <BR><INPUT TYPE="submit" VALUE="<% $payment_gateway->gatewaynum ? "Apply changes" : "Add gateway" %>">
     </FORM>
-  </BODY>
-</HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $payment_gateway;
+if ( $cgi->param('error') ) {
+  $payment_gateway = new FS::payment_gateway ( {
+    map { $_, scalar($cgi->param($_)) } fields('payment_gateway')
+  } );
+} elsif ( $cgi->keywords ) {
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $payment_gateway = qsearchs( 'payment_gateway', { 'gatewaynum' => $1 } );
+} else { #adding
+  $payment_gateway = new FS::payment_gateway {};
+}
+my $action = $payment_gateway->gatewaynum ? 'Edit' : 'Add';
+#my $hashref = $payment_gateway->hashref;
+
+</%init>
diff --git a/httemplate/edit/pkg_class.html b/httemplate/edit/pkg_class.html
index 6f2b072f1..eddbfc16e 100644
--- a/httemplate/edit/pkg_class.html
+++ b/httemplate/edit/pkg_class.html
@@ -14,3 +14,9 @@
            )
           
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/prepay_credit.cgi b/httemplate/edit/prepay_credit.cgi
index c32c04d16..9e1c30ba6 100644
--- a/httemplate/edit/prepay_credit.cgi
+++ b/httemplate/edit/prepay_credit.cgi
@@ -1,38 +1,11 @@
-%
-%my $agent = '';
-%my $agentnum = '';
-%if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
-%  $agent = qsearchs('agent', { 'agentnum' => $agentnum=$1 } );
-%}
-%
-%tie my %multiplier, 'Tie::IxHash',
-%  1    => 'seconds',
-%  60   => 'minutes',
-%  3600 => 'hours',
-%;
-%
-%tie my %bytemultiplier, 'Tie::IxHash',
-%  1          => 'bytes',
-%  1000       => 'Kbytes',
-%  1000000    => 'Mbytes',
-%  1000000000 => 'Gbytes',
-%;
-%
-%$cgi->param('multiplier',     '60')      unless $cgi->param('multiplier');
-%$cgi->param('upmultiplier',   '1000000') unless $cgi->param('upmultiplier');
-%$cgi->param('downmultiplier', '1000000') unless $cgi->param('downmultiplier');
-%$cgi->param('totalmultiplier','1000000') unless $cgi->param('totalmultiplier');
-
-<% include("/elements/header.html",'Generate prepaid cards'. ($agent ? ' for '. $agent->agent : ''),
-           menubar( 'Main Menu' => $p, ))
-%>
+<% include("/elements/header.html",'Generate prepaid cards'. ($agent ? ' for '. $agent->agent : '') ) %>
 
 <% include('/elements/error.html') %>
 
 <FORM ACTION="<%popurl(1)%>process/prepay_credit.cgi" METHOD="POST" NAME="OneTrueForm" onSubmit="document.OneTrueForm.submit.disabled=true">
 
 Generate
-<INPUT TYPE="text" NAME="num" VALUE="<% $cgi->param('num') || '(quantity)' %>" SIZE=10 MAXLENGTH=10 onFocus="if ( this.value == '(quantity)' ) { this.value = ''; }">
+<INPUT TYPE="text" NAME="num" VALUE="<% $cgi->param('num') || '(quantity)' |h %>" SIZE=10 MAXLENGTH=10 onFocus="if ( this.value == '(quantity)' ) { this.value = ''; }">
 
 <SELECT NAME="type">
 % foreach (qw(alpha alphanumeric numeric)) { 
@@ -52,10 +25,10 @@ prepaid cards
 
 <TABLE>
 <TR><TD>Value: 
-$<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amount') %>">
+$<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amount') |h %>">
 </TD>
 <TD>and/or
-<INPUT TYPE="text" NAME="seconds" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('seconds') %>">
+<INPUT TYPE="text" NAME="seconds" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('seconds') |h %>">
 <SELECT NAME="multiplier">
 % foreach my $multiplier ( keys %multiplier ) { 
 
@@ -66,7 +39,7 @@ $<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amou
 </TD></TR>
 <TR><TD></TD>
 <TD>and/or
-<INPUT TYPE="text" NAME="upbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('upbytes') %>">
+<INPUT TYPE="text" NAME="upbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('upbytes') |h %>">
 <SELECT NAME="upmultiplier">
 % foreach my $multiplier ( keys %bytemultiplier ) { 
 
@@ -77,7 +50,7 @@ $<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amou
 </TD></TR>
 <TR><TD></TD>
 <TD>and/or
-<INPUT TYPE="text" NAME="downbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('downbytes') %>">
+<INPUT TYPE="text" NAME="downbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('downbytes') |h %>">
 <SELECT NAME="downmultiplier">
 % foreach my $multiplier ( keys %bytemultiplier ) { 
 
@@ -88,7 +61,7 @@ $<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amou
 </TD></TR>
 <TR><TD></TD>
 <TD>and/or
-<INPUT TYPE="text" NAME="totalbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('totalbytes') %>">
+<INPUT TYPE="text" NAME="totalbytes" SIZE=6 MAXLENGTH=5 VALUE="<% $cgi->param('totalbytes') |h %>">
 <SELECT NAME="totalmultiplier">
 % foreach my $multiplier ( keys %bytemultiplier ) { 
 
@@ -101,5 +74,37 @@ $<INPUT TYPE="text" NAME="amount" SIZE=8 MAXLENGTH=7 VALUE="<% $cgi->param('amou
 <BR><BR>
 <INPUT TYPE="submit" NAME="submit" VALUE="Generate" onSubmit="this.disabled = true">
 
-</FORM></BODY></HTML>
+</FORM>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $agent = '';
+my $agentnum = '';
+if ( $cgi->param('agentnum') =~ /^(\d+)$/ ) {
+  $agent = qsearchs('agent', { 'agentnum' => $agentnum=$1 } );
+}
+
+tie my %multiplier, 'Tie::IxHash',
+  1    => 'seconds',
+  60   => 'minutes',
+  3600 => 'hours',
+;
+
+tie my %bytemultiplier, 'Tie::IxHash',
+  1          => 'bytes',
+  1000       => 'Kbytes',
+  1000000    => 'Mbytes',
+  1000000000 => 'Gbytes',
+;
+
+$cgi->param('multiplier',     '60')      unless $cgi->param('multiplier');
+$cgi->param('upmultiplier',   '1000000') unless $cgi->param('upmultiplier');
+$cgi->param('downmultiplier', '1000000') unless $cgi->param('downmultiplier');
+$cgi->param('totalmultiplier','1000000') unless $cgi->param('totalmultiplier');
+
+</%init>
diff --git a/httemplate/edit/process/REAL_cust_pkg.cgi b/httemplate/edit/process/REAL_cust_pkg.cgi
index ec951c86c..ebcb7e4ba 100755
--- a/httemplate/edit/process/REAL_cust_pkg.cgi
+++ b/httemplate/edit/process/REAL_cust_pkg.cgi
@@ -1,31 +1,36 @@
-%my $pkgnum = $cgi->param('pkgnum') or die;
-%my $old = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%my %hash = $old->hash;
-%$hash{'setup'} = $cgi->param('setup') ? str2time($cgi->param('setup')) : '';
-%$hash{'bill'} = $cgi->param('bill') ? str2time($cgi->param('bill')) : '';
-%$hash{'last_bill'} =
-%  $cgi->param('last_bill') ? str2time($cgi->param('last_bill')) : '';
-%$hash{'adjourn'} = $cgi->param('adjourn') ? str2time($cgi->param('adjourn')) : '';
-%$hash{'expire'} = $cgi->param('expire') ? str2time($cgi->param('expire')) : '';
-%
-%my $new;
-%my $error;
-%if ( $hash{'bill'} != $old->bill        # if the next bill date was changed
-%     && $hash{'bill'} < time            # to a date in the past
-%     && ! $cgi->param('bill_areyousure') # and it wasn't confirmed
-%   )
-%{
-%  $error = '_bill_areyousure';
-%} else {
-%  $new = new FS::cust_pkg \%hash;
-%  $error = $new->replace($old);
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "REAL_cust_pkg.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "REAL_cust_pkg.cgi?". $cgi->query_string ) %>
 %} else { 
 %  my $custnum = $new->custnum;
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum".
-%                       "#cust_pkg$pkgnum" );
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum#cust_pkg$pkgnum" ) %>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer package dates');
+
+my $pkgnum = $cgi->param('pkgnum') or die;
+my $old = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+my %hash = $old->hash;
+$hash{'setup'} = $cgi->param('setup') ? str2time($cgi->param('setup')) : '';
+$hash{'bill'} = $cgi->param('bill') ? str2time($cgi->param('bill')) : '';
+$hash{'last_bill'} =
+  $cgi->param('last_bill') ? str2time($cgi->param('last_bill')) : '';
+$hash{'adjourn'} = $cgi->param('adjourn') ? str2time($cgi->param('adjourn')) : '';
+$hash{'expire'} = $cgi->param('expire') ? str2time($cgi->param('expire')) : '';
+
+my $new;
+my $error;
+if ( $hash{'bill'} != $old->bill        # if the next bill date was changed
+     && $hash{'bill'} < time            # to a date in the past
+     && ! $cgi->param('bill_areyousure') # and it wasn't confirmed
+   )
+{
+  $error = '_bill_areyousure';
+} else {
+  $new = new FS::cust_pkg \%hash;
+  $error = $new->replace($old);
+}
+
+</%init>
diff --git a/httemplate/edit/process/access_user.html b/httemplate/edit/process/access_user.html
index 9f7c4ddbf..ca6bb603f 100644
--- a/httemplate/edit/process/access_user.html
+++ b/httemplate/edit/process/access_user.html
@@ -13,3 +13,9 @@
              )
 %>
 %   }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/agent.cgi b/httemplate/edit/process/agent.cgi
index 5128d7ae8..ad550cc37 100755
--- a/httemplate/edit/process/agent.cgi
+++ b/httemplate/edit/process/agent.cgi
@@ -1,29 +1,30 @@
-%
-%
-%my $agentnum = $cgi->param('agentnum');
-%
-%my $old = qsearchs('agent',{'agentnum'=>$agentnum}) if $agentnum;
-%
-%my $new = new FS::agent ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('agent')
-%} );
-%
-%my $error;
-%if ( $agentnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $agentnum=$new->getfield('agentnum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string ) %>
 %} else { 
-%  print $cgi->redirect(popurl(3). "browse/agent.cgi");
+<% $cgi->redirect(popurl(3). "browse/agent.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $agentnum = $cgi->param('agentnum');
+
+my $old = qsearchs('agent',{'agentnum'=>$agentnum}) if $agentnum;
+
+my $new = new FS::agent ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('agent')
+} );
+
+my $error;
+if ( $agentnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $agentnum=$new->getfield('agentnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/agent_payment_gateway.html b/httemplate/edit/process/agent_payment_gateway.html
index 436317ec4..5b5fd948a 100644
--- a/httemplate/edit/process/agent_payment_gateway.html
+++ b/httemplate/edit/process/agent_payment_gateway.html
@@ -1,26 +1,29 @@
-%
-%
-%$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
-%my $agent = qsearchs('agent', { 'agentnum' => $1 } );
-%die "agentnum $1 not found" unless $agent;
-%
-%#my $old
-%
-%my @new = map {
-%                my $cardtype = $_;
-%                new FS::agent_payment_gateway {
-%                  ( map { $_ => scalar($cgi->param($_)) }
-%                                    fields('agent_payment_gateway')
-%                  ),
-%                  'cardtype' => $cardtype,
-%                };
-%              }
-%              $cgi->param('cardtype');
-%
-%foreach my $new (@new) {
-%  my $error = $new->insert;
-%  die $error if $error;
-%}
-%
-%
 <% $cgi->redirect(popurl(3). "browse/agent.cgi") %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('agentnum') =~ /(\d+)$/ or die "illegal agentnum";
+my $agent = qsearchs('agent', { 'agentnum' => $1 } );
+die "agentnum $1 not found" unless $agent;
+
+#my $old
+
+my @new = map {
+                my $cardtype = $_;
+                new FS::agent_payment_gateway {
+                  ( map { $_ => scalar($cgi->param($_)) }
+                                    fields('agent_payment_gateway')
+                  ),
+                  'cardtype' => $cardtype,
+                };
+              }
+              $cgi->param('cardtype');
+
+foreach my $new (@new) {
+  my $error = $new->insert;
+  die $error if $error;
+}
+
+</%init>
diff --git a/httemplate/edit/process/agent_type.cgi b/httemplate/edit/process/agent_type.cgi
index b8d03705c..898e0667d 100755
--- a/httemplate/edit/process/agent_type.cgi
+++ b/httemplate/edit/process/agent_type.cgi
@@ -1,37 +1,35 @@
-%
-%
-%my $typenum = $cgi->param('typenum');
-%my $old = qsearchs('agent_type',{'typenum'=>$typenum}) if $typenum;
-%
-%my $new = new FS::agent_type ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('agent_type')
-%} );
-%
-%my $error;
-%if ( $typenum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error    = $new->insert;
-%  $typenum  = $new->getfield('typenum');
-%}
-%#$error  ||= $new->process_m2m( );
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "agent_type.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "agent_type.cgi?". $cgi->query_string ) %>
 %} else {
-%
-%  my $error = $new->process_m2m(
-%    'link_table'   => 'type_pkgs',
-%    'target_table' => 'part_pkg',
-%    'params'       => scalar($cgi->Vars)
-%  );
-%  die $error if $error;
-%
-%  print $cgi->redirect(popurl(3). "browse/agent_type.cgi");
+<% $cgi->redirect(popurl(3). "browse/agent_type.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $typenum = $cgi->param('typenum');
+my $old = qsearchs('agent_type',{'typenum'=>$typenum}) if $typenum;
+
+my $new = new FS::agent_type ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('agent_type')
+} );
+
+my $error;
+if ( $typenum ) {
+  $error = $new->replace($old);
+} else {
+  $error    = $new->insert;
+  $typenum  = $new->getfield('typenum');
+}
+
+  $error ||= $new->process_m2m(
+    'link_table'   => 'type_pkgs',
+    'target_table' => 'part_pkg',
+    'params'       => scalar($cgi->Vars)
+  );
 
+<%/init>
diff --git a/httemplate/edit/process/bulk-cust_svc.cgi b/httemplate/edit/process/bulk-cust_svc.cgi
index ad4d67307..313b061ff 100644
--- a/httemplate/edit/process/bulk-cust_svc.cgi
+++ b/httemplate/edit/process/bulk-cust_svc.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process_bulk_cust_svc', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process_bulk_cust_svc', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/cust_bill_pay.cgi b/httemplate/edit/process/cust_bill_pay.cgi
index 962fc4eb9..43e672647 100755
--- a/httemplate/edit/process/cust_bill_pay.cgi
+++ b/httemplate/edit/process/cust_bill_pay.cgi
@@ -1,54 +1,50 @@
-%
-%
-%$cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } )
-%  or die "No such paynum";
-%
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_pay->custnum } )
-%  or die "Bogus credit:  not attached to customer";
-%
-%my $custnum = $cust_main->custnum;
-%
-%my $new;
-%if ($cgi->param('invnum') =~ /^Refund$/) {
-%  $new = new FS::cust_refund ( {
-%    'reason'  => 'Refunding payment', #enter reason in UI
-%    'refund'  => $cgi->param('amount'),
-%    'payby'   => 'BILL',
-%    #'_date'   => $cgi->param('_date'),
-%    'payinfo' => 'Cash', #enter payinfo in UI
-%    'paynum' => $paynum,
-%  } );
-%} else {
-%  $new = new FS::cust_bill_pay ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    #} qw(custnum _date amount invnum)
-%    } fields('cust_bill_pay')
-%  } );
-%}
-%
-%my $error = $new->insert;
-%
 %if ( $error ) {
-%
 %  $cgi->param('error', $error);
-%  
 <% $cgi->redirect(popurl(2). "cust_bill_pay.cgi?". $cgi->query_string ) %>
-%
-%
 %} else {
-%
-%  #print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
-%
-%  
 <% header('Payment application sucessful') %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
-
-  </BODY></HTML>
+  </BODY>
+  </HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply payment') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post payment'): #remove after 1.7.3
+
+$cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } )
+  or die "No such paynum";
+
+my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_pay->custnum } )
+  or die "Bogus credit:  not attached to customer";
+
+my $custnum = $cust_main->custnum;
+
+my $new;
+if ($cgi->param('invnum') =~ /^Refund$/) {
+  $new = new FS::cust_refund ( {
+    'reason'  => 'Refunding payment', #enter reason in UI
+    'refund'  => $cgi->param('amount'),
+    'payby'   => 'BILL',
+    #'_date'   => $cgi->param('_date'),
+    'payinfo' => 'Cash', #enter payinfo in UI
+    'paynum' => $paynum,
+  } );
+} else {
+  $new = new FS::cust_bill_pay ( {
+    map {
+      $_, scalar($cgi->param($_));
+    #} qw(custnum _date amount invnum)
+    } fields('cust_bill_pay')
+  } );
+}
+
+my $error = $new->insert;
 
+</%init>
diff --git a/httemplate/edit/process/cust_credit.cgi b/httemplate/edit/process/cust_credit.cgi
index 9dcad7f68..8715ad61e 100755
--- a/httemplate/edit/process/cust_credit.cgi
+++ b/httemplate/edit/process/cust_credit.cgi
@@ -1,46 +1,10 @@
-%
-%
-%$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
-%my $custnum = $1;
-%
-%$cgi->param('reasonnum') =~ /^(-?\d+)$/ or die "Illegal reasonnum";
-%my $reasonnum = $1;
-%
-%my $oldAutoCommit = $FS::UID::AutoCommit;
-%local $FS::UID::AutoCommit = 0;
-%my $dbh = dbh;
-%
-%my $error = '';
-%if ($reasonnum == -1) {
-%
-%  $error = 'Enter a new reason (or select an existing one)'
-%    unless $cgi->param('newreasonnum') !~ /^\s*$/;
-%  my $reason = new FS::reason({ 'reason_type' => $cgi->param('newreasonnumT'),
-%                                'reason'      => $cgi->param('newreasonnum'),
-%                              });
-%  $error ||= $reason->insert;
-%  $cgi->param('reasonnum', $reason->reasonnum)
-%    unless $error;
-%}
-%
-%unless ($error) {
-%  my $new = new FS::cust_credit ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    } fields('cust_credit')
-%  } );
-%  $error = $new->insert;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('reasonnum', $reasonnum);
 %  $cgi->param('error', $error);
 %  $dbh->rollback if $oldAutoCommit;
-%
 %  
 <% $cgi->redirect(popurl(2). "cust_credit.cgi?". $cgi->query_string ) %>
 %
-%
 %} else {
 %
 %  if ( $cgi->param('apply') eq 'yes' ) {
@@ -59,4 +23,41 @@
 
   </BODY></HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post credit');
+
+$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
+my $custnum = $1;
+
+$cgi->param('reasonnum') =~ /^(-?\d+)$/ or die "Illegal reasonnum";
+my $reasonnum = $1;
+
+my $oldAutoCommit = $FS::UID::AutoCommit;
+local $FS::UID::AutoCommit = 0;
+my $dbh = dbh;
+
+my $error = '';
+if ($reasonnum == -1) {
+
+  $error = 'Enter a new reason (or select an existing one)'
+    unless $cgi->param('newreasonnum') !~ /^\s*$/;
+  my $reason = new FS::reason({ 'reason_type' => $cgi->param('newreasonnumT'),
+                                'reason'      => $cgi->param('newreasonnum'),
+                              });
+  $error ||= $reason->insert;
+  $cgi->param('reasonnum', $reason->reasonnum)
+    unless $error;
+}
+
+unless ($error) {
+  my $new = new FS::cust_credit ( {
+    map {
+      $_, scalar($cgi->param($_));
+    } fields('cust_credit')
+  } );
+  $error = $new->insert;
+}
 
+</%init>
diff --git a/httemplate/edit/process/cust_credit_bill.cgi b/httemplate/edit/process/cust_credit_bill.cgi
index 7509a3f02..74ae00888 100755
--- a/httemplate/edit/process/cust_credit_bill.cgi
+++ b/httemplate/edit/process/cust_credit_bill.cgi
@@ -1,55 +1,51 @@
-%
-%
-%$cgi->param('crednum') =~ /^(\d*)$/ or die "Illegal crednum!";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } )
-%  or die "No such crednum";
-%
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_credit->custnum } )
-%  or die "Bogus credit:  not attached to customer";
-%
-%my $custnum = $cust_main->custnum;
-%
-%my $new;
-%if ($cgi->param('invnum') =~ /^Refund$/) {
-%  $new = new FS::cust_refund ( {
-%    'reason'  => ( $cust_credit->reason || 'refund from credit' ),
-%    'refund'  => $cgi->param('amount'),
-%    'payby'   => 'BILL',
-%    #'_date'   => $cgi->param('_date'),
-%    #'payinfo' => 'Cash',
-%    'payinfo' => 'Refund',
-%    'crednum' => $crednum,
-%  } );
-%} else {
-%  $new = new FS::cust_credit_bill ( {
-%    map {
-%      $_, scalar($cgi->param($_));
-%    #} qw(custnum _date amount invnum)
-%    } fields('cust_credit_bill')
-%  } );
-%}
-%
-%my $error = $new->insert;
-%
 %if ( $error ) {
-%
 %  $cgi->param('error', $error);
-%  
 <% $cgi->redirect(popurl(2). "cust_credit_bill.cgi?". $cgi->query_string ) %>
-%
-%
 %} else {
-%
-%  #print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
-%
-%  
 <% header('Credit application sucessful') %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
-
-  </BODY></HTML>
+  </BODY>
+  </HTML>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Apply credit') #;
+      || $FS::CurrentUser::CurrentUser->access_right('Post credit'): #remove after 1.7.3
+
+$cgi->param('crednum') =~ /^(\d*)$/ or die "Illegal crednum!";
+my $crednum = $1;
+
+my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } )
+  or die "No such crednum";
+
+my $cust_main = qsearchs('cust_main', { 'custnum' => $cust_credit->custnum } )
+  or die "Bogus credit:  not attached to customer";
+
+my $custnum = $cust_main->custnum;
+
+my $new;
+if ($cgi->param('invnum') =~ /^Refund$/) {
+  $new = new FS::cust_refund ( {
+    'reason'  => ( $cust_credit->reason || 'refund from credit' ),
+    'refund'  => $cgi->param('amount'),
+    'payby'   => 'BILL',
+    #'_date'   => $cgi->param('_date'),
+    #'payinfo' => 'Cash',
+    'payinfo' => 'Refund',
+    'crednum' => $crednum,
+  } );
+} else {
+  $new = new FS::cust_credit_bill ( {
+    map {
+      $_, scalar($cgi->param($_));
+    #} qw(custnum _date amount invnum)
+    } fields('cust_credit_bill')
+  } );
+}
+
+my $error = $new->insert;
 
+</%init>
diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 8de2092f9..b0c9e3e57 100755
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -16,6 +16,9 @@ my $DEBUG = 0;
 </%once>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+
 my $error = '';
 
 #unmunge stuff
diff --git a/httemplate/edit/process/cust_main_county-collapse.cgi b/httemplate/edit/process/cust_main_county-collapse.cgi
index 4bcaf1de3..a917825ce 100755
--- a/httemplate/edit/process/cust_main_county-collapse.cgi
+++ b/httemplate/edit/process/cust_main_county-collapse.cgi
@@ -33,4 +33,12 @@
 %print $cgi->redirect(popurl(3). "browse/cust_main_county.cgi");
 %
 %
+<%init>
 
+#this isn't actually linked from anywhere just now, but it will be again soon
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+
+</%init>
diff --git a/httemplate/edit/process/cust_main_county-expand.cgi b/httemplate/edit/process/cust_main_county-expand.cgi
index 4e04f37fc..a8b4c2511 100755
--- a/httemplate/edit/process/cust_main_county-expand.cgi
+++ b/httemplate/edit/process/cust_main_county-expand.cgi
@@ -8,6 +8,9 @@
 </HTML>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
 $cgi->param('taxnum') =~ /^(\d+)$/ or die "Illegal taxnum!";
 my $taxnum = $1;
 my $cust_main_county = qsearchs('cust_main_county',{'taxnum'=>$taxnum})
diff --git a/httemplate/edit/process/cust_main_county.html b/httemplate/edit/process/cust_main_county.html
index 3d9d20b85..cb56166c8 100644
--- a/httemplate/edit/process/cust_main_county.html
+++ b/httemplate/edit/process/cust_main_county.html
@@ -4,3 +4,10 @@
               #someday change the individual element and go away instead
           )
 %>
+<%init>
+
+my $conf = new FS::Conf;
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/cust_main_note.cgi b/httemplate/edit/process/cust_main_note.cgi
index 8b9105bd8..9689ca6d6 100755
--- a/httemplate/edit/process/cust_main_note.cgi
+++ b/httemplate/edit/process/cust_main_note.cgi
@@ -1,42 +1,7 @@
-%
-%
-%$cgi->param('custnum') =~ /^(\d+)$/
-%  or die "Illegal custnum: ". $cgi->param('custnum');
-%my $custnum = $1;
-%
-%$cgi->param('notenum') =~ /^(\d*)$/
-%  or die "Illegal notenum: ". $cgi->param('notenum');
-%my $notenum = $1;
-%
-%my $otaker = $FS::CurrentUser::CurrentUser->name;
-%$otaker = $FS::CurrentUser::CurrentUser->username
-%  if ($otaker eq "User, Legacy");
-%
-%my $new = new FS::cust_main_note ( {
-%  notenum  => $notenum,
-%  custnum  => $custnum,
-%  _date    => time,
-%  otaker   => $otaker,
-%  comments =>  $cgi->param('comment'),
-%} );
-%
-%my $error;
-%if ($notenum){
-%  my $old  = qsearchs('cust_main_note', { 'notenum' => $notenum });
-%  $error = "No such note: $notenum" unless $old;
-%  unless($error){
-%    map { $new->$_($old->$_) } ('_date', 'otaker');
-%    $error = $new->replace($old);
-%  }
-%}else{
-%  $error = $new->insert;
-%}
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'cust_main_note.cgi?'. $cgi->query_string );
-%}
-%
+<% $cgi->redirect(popurl(2). 'cust_main_note.cgi?'. $cgi->query_string ) %>
+%} else {
 %    
 <% header('Note ' . ($notenum ? 'updated' : 'added') ) %>
     <SCRIPT TYPE="text/javascript">
@@ -48,5 +13,48 @@
     </SCRIPT>
     </BODY></HTML>
 %
-%
+% }
+<%init>
+
+$cgi->param('custnum') =~ /^(\d+)$/
+  or die "Illegal custnum: ". $cgi->param('custnum');
+my $custnum = $1;
+
+$cgi->param('notenum') =~ /^(\d*)$/
+  or die "Illegal notenum: ". $cgi->param('notenum');
+my $notenum = $1;
+
+my $otaker = $FS::CurrentUser::CurrentUser->name;
+$otaker = $FS::CurrentUser::CurrentUser->username
+  if ($otaker eq "User, Legacy");
+
+my $new = new FS::cust_main_note ( {
+  notenum  => $notenum,
+  custnum  => $custnum,
+  _date    => time,
+  otaker   => $otaker,
+  comments =>  $cgi->param('comment'),
+} );
+
+my $error;
+if ($notenum) {
+
+  die "access denied"
+    unless $FS::CurrentUser::CurrentUser->access_right('Edit customer note');
+
+  my $old  = qsearchs('cust_main_note', { 'notenum' => $notenum });
+  $error = "No such note: $notenum" unless $old;
+  unless ($error) {
+    map { $new->$_($old->$_) } ('_date', 'otaker');
+    $error = $new->replace($old);
+  }
+
+} else {
+
+  die "access denied"
+    unless $FS::CurrentUser::CurrentUser->access_right('Add customer note');
+
+  $error = $new->insert;
+}
 
+</%init>
diff --git a/httemplate/edit/process/cust_pay.cgi b/httemplate/edit/process/cust_pay.cgi
index a34c88aba..647f6fc6c 100755
--- a/httemplate/edit/process/cust_pay.cgi
+++ b/httemplate/edit/process/cust_pay.cgi
@@ -1,32 +1,8 @@
-%
-%
-%$cgi->param('linknum') =~ /^(\d+)$/
-%  or die "Illegal linknum: ". $cgi->param('linknum');
-%my $linknum = $1;
-%
-%$cgi->param('link') =~ /^(custnum|invnum|popup)$/
-%  or die "Illegal link: ". $cgi->param('link');
-%my $field = my $link = $1;
-%$field = 'custnum' if $field eq 'popup';
-%
-%my $_date = str2time($cgi->param('_date'));
-%
-%my $new = new FS::cust_pay ( {
-%  $field => $linknum,
-%  _date  => $_date,
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } qw(paid payby payinfo paybatch)
-%  #} fields('cust_pay')
-%} );
-%
-%my $error = $new->insert( 'manual' => 1 );
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'cust_pay.cgi?'. $cgi->query_string );
+<% $cgi->redirect(popurl(2). 'cust_pay.cgi?'. $cgi->query_string ) %>
 %} elsif ( $field eq 'invnum' ) {
-%  print $cgi->redirect(popurl(3). "view/cust_bill.cgi?$linknum");
+<% $cgi->redirect(popurl(3). "view/cust_bill.cgi?$linknum") %>
 %} elsif ( $field eq 'custnum' ) {
 %  if ( $cgi->param('apply') eq 'yes' ) {
 %    my $cust_main = qsearchs('cust_main', { 'custnum' => $linknum })
@@ -34,7 +10,6 @@
 %    $cust_main->apply_payments;
 %  }
 %  if ( $link eq 'popup' ) {
-%
 %    
 <% header('Payment entered') %>
     <SCRIPT TYPE="text/javascript">
@@ -43,14 +18,38 @@
 
     </BODY></HTML>
 %
-%
 %  } elsif ( $link eq 'custnum' ) {
-%    print $cgi->redirect(popurl(3). "view/cust_main.cgi?$linknum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$linknum") %>
 %  } else {
 %    die "unknown link $link";
 %  }
 %
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post payment');
+
+$cgi->param('linknum') =~ /^(\d+)$/
+  or die "Illegal linknum: ". $cgi->param('linknum');
+my $linknum = $1;
+
+$cgi->param('link') =~ /^(custnum|invnum|popup)$/
+  or die "Illegal link: ". $cgi->param('link');
+my $field = my $link = $1;
+$field = 'custnum' if $field eq 'popup';
+
+my $_date = str2time($cgi->param('_date'));
+
+my $new = new FS::cust_pay ( {
+  $field => $linknum,
+  _date  => $_date,
+  map {
+    $_, scalar($cgi->param($_));
+  } qw(paid payby payinfo paybatch)
+  #} fields('cust_pay')
+} );
+
+my $error = $new->insert( 'manual' => 1 );
 
+</%init>
diff --git a/httemplate/edit/process/cust_pkg.cgi b/httemplate/edit/process/cust_pkg.cgi
index 25b826758..bdade321f 100755
--- a/httemplate/edit/process/cust_pkg.cgi
+++ b/httemplate/edit/process/cust_pkg.cgi
@@ -11,7 +11,7 @@
     </HTML>
 
 % } elsif ( $action eq 'bulk' ) {
-%   $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 % } else {
 %   die "guru exception #5: action is neither change nor bulk!";
 % }
@@ -28,15 +28,27 @@ my @remove_pkgnums = map {
   $1;
 } $cgi->param('remove_pkg');
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
 my( $action, $error_redirect );
 my @pkgparts = ();
 if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
+
   $action = 'change';
   $error_redirect = "misc/change_pkg.cgi";
   @pkgparts = ($1);
+
+  die "access denied"
+    unless $curuser->access_right('Change customer package');
+
 } else { #came from edit/cust_pkg.cgi
+
   $action = 'bulk';
   $error_redirect = "edit/cust_pkg.cgi";
+
+  die "access denied"
+    unless $curuser->access_right('Bulk change customer packages');
+
   foreach my $pkgpart ( map /^pkg(\d+)$/ ? $1 : (), $cgi->param ) {
     if ( $cgi->param("pkg$pkgpart") =~ /^(\d+)$/ ) {
       my $num_pkgs = $1;
@@ -48,6 +60,7 @@ if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
       last;
     }
   }
+
 }
 
 $error ||= FS::cust_pkg::order($custnum,\@pkgparts,\@remove_pkgnums);
diff --git a/httemplate/edit/process/cust_refund.cgi b/httemplate/edit/process/cust_refund.cgi
index d95ab46dc..1a7a394b3 100755
--- a/httemplate/edit/process/cust_refund.cgi
+++ b/httemplate/edit/process/cust_refund.cgi
@@ -1,38 +1,43 @@
-%$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
-%my $custnum = $1;
-%my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
-%  or die "unknown custnum $custnum";
-%
-%my $error = '';
-%if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
-%  my %options = ();
-%  my $bop = $FS::payby::payby2bop{$1};
-%  $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
-%    or die "illegal refund amount ". $cgi->param('refund');
-%  my $refund = "$1$2";
-%  $cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
-%  my $paynum = $1;
-%  my $reason = $cgi->param('reason');
-%  my $paydate = $cgi->param('exp_year'). '-'. $cgi->param('exp_month'). '-01';
-%  $options{'paydate'} = $paydate if $paydate =~ /^\d{2,4}-\d{1,2}-01$/;
-%  $error = $cust_main->realtime_refund_bop( $bop, 'amount' => $refund,
-%                                                  'paynum' => $paynum,
-%                                                  'reason' => $reason,
-%                                                  %options );
-%} else {
-%  die 'unimplemented';
-%  #my $new = new FS::cust_refund ( {
-%  #  map {
-%  #    $_, scalar($cgi->param($_));
-%  #  } ( fields('cust_refund'), 'paynum' )
-%  #} );
-%  #$error = $new->insert;
-%}
-%
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "cust_refund.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "cust_refund.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Refund payment');
+
+$cgi->param('custnum') =~ /^(\d*)$/ or die "Illegal custnum!";
+my $custnum = $1;
+my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
+  or die "unknown custnum $custnum";
+
+my $error = '';
+if ( $cgi->param('payby') =~ /^(CARD|CHEK)$/ ) { 
+  my %options = ();
+  my $bop = $FS::payby::payby2bop{$1};
+  $cgi->param('refund') =~ /^(\d*)(\.\d{2})?$/
+    or die "illegal refund amount ". $cgi->param('refund');
+  my $refund = "$1$2";
+  $cgi->param('paynum') =~ /^(\d*)$/ or die "Illegal paynum!";
+  my $paynum = $1;
+  my $reason = $cgi->param('reason');
+  my $paydate = $cgi->param('exp_year'). '-'. $cgi->param('exp_month'). '-01';
+  $options{'paydate'} = $paydate if $paydate =~ /^\d{2,4}-\d{1,2}-01$/;
+  $error = $cust_main->realtime_refund_bop( $bop, 'amount' => $refund,
+                                                  'paynum' => $paynum,
+                                                  'reason' => $reason,
+                                                  %options );
+} else {
+  die 'unimplemented';
+  #my $new = new FS::cust_refund ( {
+  #  map {
+  #    $_, scalar($cgi->param($_));
+  #  } ( fields('cust_refund'), 'paynum' )
+  #} );
+  #$error = $new->insert;
+}
+
+</%init>
diff --git a/httemplate/edit/process/cust_svc.cgi b/httemplate/edit/process/cust_svc.cgi
index e9d5f6238..e22cbb201 100644
--- a/httemplate/edit/process/cust_svc.cgi
+++ b/httemplate/edit/process/cust_svc.cgi
@@ -1,30 +1,30 @@
-%
-%
-%my $svcnum = $cgi->param('svcnum');
-%
-%my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::cust_svc ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('cust_svc')
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $svcnum=$new->getfield('svcnum');
-%}
-%
 %if ( $error ) {
-%  #$cgi->param('error', $error);
-%  #print $cgi->redirect(popurl(2). "cust_svc.cgi?". $cgi->query_string );
 %  errorpage($error);
 %} else { 
 %  my $svcdb = $new->part_svc->svcdb;
-%  print $cgi->redirect(popurl(3). "view/$svcdb.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/$svcdb.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die 'access deined'
+ unless $FS::CurrentUser::CurrentUser->access_right('Change customer service');
+
+my $svcnum = $cgi->param('svcnum');
+
+my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::cust_svc ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('cust_svc')
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $svcnum=$new->getfield('svcnum');
+}
+
+</%init>
diff --git a/httemplate/edit/process/domain_record.cgi b/httemplate/edit/process/domain_record.cgi
index daf35ad6d..2e427e4fb 100755
--- a/httemplate/edit/process/domain_record.cgi
+++ b/httemplate/edit/process/domain_record.cgi
@@ -1,36 +1,30 @@
-%
-%
-%my $recnum = $cgi->param('recnum');
-%
-%my $old = qsearchs('agent',{'recnum'=>$recnum}) if $recnum;
-%
-%my $new = new FS::domain_record ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('domain_record')
-%} );
-%
-%my $error;
-%if ( $recnum ) {
-%  $error=$new->replace($old);
-%} else {
-%  $error=$new->insert;
-%  $recnum=$new->getfield('recnum');
-%}
-%
 %if ( $error ) {
-%#  $cgi->param('error', $error);
-%#  print $cgi->redirect(popurl(2). "agent.cgi?". $cgi->query_string );
-%  #no edit screen to send them back to
-%
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else { 
 %  my $svcnum = $new->svcnum;
-%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain nameservice');
+
+my $recnum = $cgi->param('recnum');
+
+my $old = qsearchs('agent',{'recnum'=>$recnum}) if $recnum;
+
+my $new = new FS::domain_record ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('domain_record')
+} );
+
+my $error;
+if ( $recnum ) {
+  $error=$new->replace($old);
+} else {
+  $error=$new->insert;
+  $recnum=$new->getfield('recnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/generic.cgi b/httemplate/edit/process/generic.cgi
index e3ac113ae..642876386 100644
--- a/httemplate/edit/process/generic.cgi
+++ b/httemplate/edit/process/generic.cgi
@@ -1,73 +1,77 @@
-%# Welcome to generic.cgi.
-%# 
-%# This script provides a generic edit/process/ backend for simple table 
-%# editing.  All it knows how to do is take the values entered into 
-%# the script and insert them into the table specified by $cgi->param('table').
-%# If there's an existing record with the same primary key, it will be 
-%# replaced.  (Deletion will be added in the future.)
-%# 
-%# also see elements/process.html, newer and somewhat along the same lines,
-%# though it still makes you setup a process file for the table.
-%# perhaps safer, perhaps more of a pain in the ass.
-%# 
-%# Special cgi params for this script:
-%# table: the name of the table to be edited.  The script will die horribly 
-%#        if it can't find the table.
-%# redirect_ok: URL to be displayed after a successful edit.  The value of 
-%#              the record's primary key will be passed as a keyword.
-%#              Defaults to (freeside root)/view/$table.cgi.
-%# redirect_error: URL to be displayed if there's an error.  The original 
-%#                 query string, plus the error message, will be passed.
-%#                 Defaults to $cgi->referer() (i.e. go back where you 
-%#                 came from).
-%
-%
-%use FS::Record qw(qsearchs dbdef);
-%use DBIx::DBSchema;
-%use DBIx::DBSchema::Table;
-%
-%
-%my $error;
-%my $p2 = popurl(2);
-%my $p3 = popurl(3);
-%my $table = $cgi->param('table');
-%my $dbdef = dbdef or die "Cannot fetch dbdef!";
-%
-%my $dbdef_table = $dbdef->table($table) or die "Cannot fetch schema for $table";
-%
-%my $pkey = $dbdef_table->primary_key or die "Cannot fetch pkey for $table";
-%my $pkey_val = $cgi->param($pkey);
-%
-%
-%#warn "new FS::Record ( $table, (hashref) )";
-%my $new = FS::Record::new ( "FS::$table", {
-%    map { $_, scalar($cgi->param($_)) } fields($table) 
-%} );
-%
-%#warn 'created $new of class '.ref($new);
-%
-%if($pkey_val and (my $old = qsearchs($table, { $pkey, $pkey_val} ))) {
-%  # edit
-%  $error = $new->replace($old);
-%} else {
-%  #add
-%  $error = $new->insert;
-%  $pkey_val = $new->getfield($pkey);
-%  # New records usually don't have their primary keys set until after 
-%  # they've been checked/inserted, so grab the new $pkey_val so we can 
-%  # redirect to it.
-%}
-%
-%my $redirect_ok = (($cgi->param('redirect_ok')) ?
-%                    $cgi->param('redirect_ok') : $p3."browse/generic.cgi?$table");
-%my $redirect_error = (($cgi->param('redirect_error')) ?
-%                       $cgi->param('redirect_error') : $cgi->referer());
-%
 %if($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect($redirect_error . '?' . $cgi->query_string);
+<% $cgi->redirect($redirect_error . '?' . $cgi->query_string) %>
 %} else {
-%  print $cgi->redirect($redirect_ok);
+<% $cgi->redirect($redirect_ok) %>
 %}
-%
+<%doc>
+
+See elements/process.html, newer and somewhat along the same lines,
+though it still makes you setup a process file for the table.
+Perhaps safer, perhaps more of a pain in the ass.
+
+In any case, this is probably pretty deprecated; it is only used by
+part_virtual_field.cgi, and so its ACL is hardcoded to 'Configuration'.
+
+Welcome to generic.cgi.
+
+This script provides a generic edit/process/ backend for simple table 
+editing.  All it knows how to do is take the values entered into 
+the script and insert them into the table specified by $cgi->param('table').
+If there's an existing record with the same primary key, it will be 
+replaced.  (Deletion will be added in the future.)
+
+Special cgi params for this script:
+table: the name of the table to be edited.  The script will die horribly 
+       if it can't find the table.
+redirect_ok: URL to be displayed after a successful edit.  The value of 
+             the record's primary key will be passed as a keyword.
+             Defaults to (freeside root)/view/$table.cgi.
+redirect_error: URL to be displayed if there's an error.  The original 
+                query string, plus the error message, will be passed.
+                Defaults to $cgi->referer() (i.e. go back where you 
+                came from).
+
+</%doc>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $error;
+my $p2 = popurl(2);
+my $p3 = popurl(3);
+my $table = $cgi->param('table');
+my $dbdef = dbdef or die "Cannot fetch dbdef!";
+
+my $dbdef_table = $dbdef->table($table) or die "Cannot fetch schema for $table";
+
+my $pkey = $dbdef_table->primary_key or die "Cannot fetch pkey for $table";
+my $pkey_val = $cgi->param($pkey);
+
+
+#warn "new FS::Record ( $table, (hashref) )";
+my $new = FS::Record::new ( "FS::$table", {
+    map { $_, scalar($cgi->param($_)) } fields($table) 
+} );
+
+#warn 'created $new of class '.ref($new);
+
+if($pkey_val and (my $old = qsearchs($table, { $pkey, $pkey_val} ))) {
+  # edit
+  $error = $new->replace($old);
+} else {
+  #add
+  $error = $new->insert;
+  $pkey_val = $new->getfield($pkey);
+  # New records usually don't have their primary keys set until after 
+  # they've been checked/inserted, so grab the new $pkey_val so we can 
+  # redirect to it.
+}
+
+my $redirect_ok = (($cgi->param('redirect_ok')) ?
+                    $cgi->param('redirect_ok') : $p3."browse/generic.cgi?$table");
+my $redirect_error = (($cgi->param('redirect_error')) ?
+                       $cgi->param('redirect_error') : $cgi->referer());
 
+</%init>
diff --git a/httemplate/edit/process/inventory_class.html b/httemplate/edit/process/inventory_class.html
index c7be9e8dd..dbf978e72 100644
--- a/httemplate/edit/process/inventory_class.html
+++ b/httemplate/edit/process/inventory_class.html
@@ -3,3 +3,9 @@
                'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/msgcat.cgi b/httemplate/edit/process/msgcat.cgi
index 9711143d6..7175fa2b3 100644
--- a/httemplate/edit/process/msgcat.cgi
+++ b/httemplate/edit/process/msgcat.cgi
@@ -1,21 +1,22 @@
-%
-%
-%my $error;
-%foreach my $param ( grep { /^\d+$/ } $cgi->param ) {
-%  my $old = qsearchs('msgcat', { msgnum=>$param } );
-%  next if $old->msg eq $cgi->param($param); #no need to update identical records
-%  my $new = new FS::msgcat { $old->hash };
-%  $new->msg($cgi->param($param));
-%  $error = $new->replace($old);
-%  last if $error;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error',$error);
-%  print $cgi->redirect($p. "msgcat.cgi?". $cgi->query_string );
+<% $cgi->redirect($p. "msgcat.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/msgcat.cgi");
+<% $cgi->redirect(popurl(3). "browse/msgcat.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $error;
+foreach my $param ( grep { /^\d+$/ } $cgi->param ) {
+  my $old = qsearchs('msgcat', { msgnum=>$param } );
+  next if $old->msg eq $cgi->param($param); #no need to update identical records
+  my $new = new FS::msgcat { $old->hash };
+  $new->msg($cgi->param($param));
+  $error = $new->replace($old);
+  last if $error;
+}
 
+</%init>
diff --git a/httemplate/edit/process/part_bill_event.cgi b/httemplate/edit/process/part_bill_event.cgi
index af594f264..3534519fd 100755
--- a/httemplate/edit/process/part_bill_event.cgi
+++ b/httemplate/edit/process/part_bill_event.cgi
@@ -1,89 +1,92 @@
-%
-%my $eventpart = $cgi->param('eventpart');
-%
-%my $old = qsearchs('part_bill_event',{'eventpart'=>$eventpart}) if $eventpart;
-%
-%#s/days/seconds/
-%$cgi->param('seconds', int( $cgi->param('days') * 86400 ) );
-%
-%my $error;
-%if ( ! $cgi->param('plan_weight_eventcode') ) {
-%  $error = "Must select an action";
-%} else {
-%
-%  $cgi->param('plan_weight_eventcode') =~ /^([\w\-]+):(\d+):(.*)$/s
-%    or die "illegal plan_weight_eventcode:".
-%           $cgi->param('plan_weight_eventcode');
-%  $cgi->param('plan', $1);
-%  $cgi->param('weight', $2);
-%  my $eventcode = $3;
-%  my $plandata = '';
-%
-%  my $rnum;
-%  my $rtype;
-%  my $reasonm;
-%  my $class  = '';
-%  $class='c' if ($eventcode =~ /cancel/);
-%  $class='s' if ($eventcode =~ /suspend/);
-%  if ($class) {
-%    $cgi->param("${class}reason") =~ /^(-?\d+)$/
-%      or $error =  "Invalid ${class}reason";
-%    $rnum = $1;
-%    if ($rnum == -1) {
-%      $cgi->param("new${class}reasonT") =~ /^(\d+)$/
-%        or $error =  "Invalid new${class}reasonT";
-%      $rtype = $1;
-%      $cgi->param("new${class}reason") =~ /^([\s\w]+)$/
-%        or $error = "Invalid new${class}reason";
-%      $reasonm = $1;
-%    }
-%  }
-% 
-%  if ($rnum == -1 && !$error) {
-%    my $reason = new FS::reason ({ 'reason'      => $reasonm,
-%                                   'reason_type' => $rtype,
-%                                 });
-%    $error = $reason->insert;
-%    unless ($error) {
-%      $rnum = $reason->reasonnum;
-%      $cgi->param("${class}reason", $rnum);
-%      $cgi->param("new${class}reason", '');
-%      $cgi->param("new${class}reasonT", '');
-%    }
-%  }
-%
-%  while ( $eventcode =~ /%%%(\w+)%%%/ ) {
-%    my $field = $1;
-%    my $value = join(', ', $cgi->param($field) );
-%    $cgi->param($field, $value); #in case it errors out
-%    $eventcode =~ s/%%%$field%%%/$value/;
-%    $plandata .= "$field $value\n";
-%  }
-%  $cgi->param('eventcode', $eventcode);
-%  $cgi->param('plandata', $plandata);
-%
-%  unless($error){
-%    my $new = new FS::part_bill_event ( {
-%      map {
-%        $_, scalar($cgi->param($_));
-%      } fields('part_bill_event'),
-%    } );
-%    $new->setfield('reason', $rnum);
-%
-%    if ( $eventpart ) {
-%      $error = $new->replace($old);
-%    } else {
-%      $error = $new->insert;
-%      $eventpart = $new->getfield('eventpart');
-%    }
-%  }
-%} 
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "part_bill_event.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_bill_event.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3)."browse/part_bill_event.cgi");
+<% $cgi->redirect(popurl(3)."browse/part_bill_event.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $eventpart = $cgi->param('eventpart');
+
+my $old = qsearchs('part_bill_event',{'eventpart'=>$eventpart}) if $eventpart;
+
+#s/days/seconds/
+$cgi->param('seconds', int( $cgi->param('days') * 86400 ) );
+
+my $error;
+if ( ! $cgi->param('plan_weight_eventcode') ) {
+  $error = "Must select an action";
+} else {
+
+  $cgi->param('plan_weight_eventcode') =~ /^([\w\-]+):(\d+):(.*)$/s
+    or die "illegal plan_weight_eventcode:".
+           $cgi->param('plan_weight_eventcode');
+  $cgi->param('plan', $1);
+  $cgi->param('weight', $2);
+  my $eventcode = $3;
+  my $plandata = '';
+
+  my $rnum;
+  my $rtype;
+  my $reasonm;
+  my $class  = '';
+  $class='c' if ($eventcode =~ /cancel/);
+  $class='s' if ($eventcode =~ /suspend/);
+  if ($class) {
+    $cgi->param("${class}reason") =~ /^(-?\d+)$/
+      or $error =  "Invalid ${class}reason";
+    $rnum = $1;
+    if ($rnum == -1) {
+      $cgi->param("new${class}reasonT") =~ /^(\d+)$/
+        or $error =  "Invalid new${class}reasonT";
+      $rtype = $1;
+      $cgi->param("new${class}reason") =~ /^([\s\w]+)$/
+        or $error = "Invalid new${class}reason";
+      $reasonm = $1;
+    }
+  }
+ 
+  if ($rnum == -1 && !$error) {
+    my $reason = new FS::reason ({ 'reason'      => $reasonm,
+                                   'reason_type' => $rtype,
+                                 });
+    $error = $reason->insert;
+    unless ($error) {
+      $rnum = $reason->reasonnum;
+      $cgi->param("${class}reason", $rnum);
+      $cgi->param("new${class}reason", '');
+      $cgi->param("new${class}reasonT", '');
+    }
+  }
+
+  while ( $eventcode =~ /%%%(\w+)%%%/ ) {
+    my $field = $1;
+    my $value = join(', ', $cgi->param($field) );
+    $cgi->param($field, $value); #in case it errors out
+    $eventcode =~ s/%%%$field%%%/$value/;
+    $plandata .= "$field $value\n";
+  }
+  $cgi->param('eventcode', $eventcode);
+  $cgi->param('plandata', $plandata);
+
+  unless($error){
+    my $new = new FS::part_bill_event ( {
+      map {
+        $_, scalar($cgi->param($_));
+      } fields('part_bill_event'),
+    } );
+    $new->setfield('reason', $rnum);
+
+    if ( $eventpart ) {
+      $error = $new->replace($old);
+    } else {
+      $error = $new->insert;
+      $eventpart = $new->getfield('eventpart');
+    }
+  }
+} 
+
+</%init>
diff --git a/httemplate/edit/process/part_export.cgi b/httemplate/edit/process/part_export.cgi
index 0dd9eabae..b5f82e892 100644
--- a/httemplate/edit/process/part_export.cgi
+++ b/httemplate/edit/process/part_export.cgi
@@ -1,40 +1,41 @@
-%
-%
-%my $exportnum = $cgi->param('exportnum');
-%
-%my $old = qsearchs('part_export', { 'exportnum'=>$exportnum } ) if $exportnum;
-%
-%#fixup options
-%#warn join('-', split(',',$cgi->param('options')));
-%my %options = map {
-%  my $value = $cgi->param($_);
-%  $value =~ s/\r\n/\n/g; #browsers? (textarea)
-%  $_ => $value;
-%} split(',', $cgi->param('options'));
-%
-%my $new = new FS::part_export ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('part_export')
-%} );
-%
-%my $error;
-%if ( $exportnum ) {
-%  #warn $old;
-%  #warn $exportnum;
-%  #warn $new->machine;
-%  $error = $new->replace($old,\%options);
-%} else {
-%  $error = $new->insert(\%options);
-%#  $exportnum = $new->exportnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error );
-%  print $cgi->redirect(popurl(2). "part_export.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_export.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/part_export.cgi");
+<% $cgi->redirect(popurl(3). "browse/part_export.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $exportnum = $cgi->param('exportnum');
+
+my $old = qsearchs('part_export', { 'exportnum'=>$exportnum } ) if $exportnum;
+
+#fixup options
+#warn join('-', split(',',$cgi->param('options')));
+my %options = map {
+  my $value = $cgi->param($_);
+  $value =~ s/\r\n/\n/g; #browsers? (textarea)
+  $_ => $value;
+} split(',', $cgi->param('options'));
+
+my $new = new FS::part_export ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('part_export')
+} );
+
+my $error;
+if ( $exportnum ) {
+  #warn $old;
+  #warn $exportnum;
+  #warn $new->machine;
+  $error = $new->replace($old,\%options);
+} else {
+  $error = $new->insert(\%options);
+#  $exportnum = $new->exportnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi
index b29e96305..f4d0c209e 100755
--- a/httemplate/edit/process/part_pkg.cgi
+++ b/httemplate/edit/process/part_pkg.cgi
@@ -1,103 +1,111 @@
-%
-%
-%my $dbh = dbh;
-%my $conf = new FS::Conf;
-%
-%my $pkgpart = $cgi->param('pkgpart');
-%
-%my $old = qsearchs('part_pkg',{'pkgpart'=>$pkgpart}) if $pkgpart;
-%
-%tie my %plans, 'Tie::IxHash', %{ FS::part_pkg::plan_info() };
-%my $href = $plans{$cgi->param('plan')}->{'fields'};
-%
-%#fixup plandata
-%my $error;
-%my $plandata = $cgi->param('plandata');
-%my @plandata = split(',', $plandata);
-%$cgi->param('plandata', 
-%  join('', map { my $parser = sub { shift };
-%                 $parser = $href->{$_}{parse} if exists($href->{$_}{parse});
-%                 my $value = join(', ', &$parser($cgi->param($_)));
-%                 my $check = $href->{$_}{check};
-%                 if ( $check && ! &$check($value) ) {
-%                   $value = join(', ', $cgi->param($_));
-%                   $error ||= "Illegal ". ($href->{$_}{name}||$_). ": $value";
-%                 }
-%                 "$_=$value\n";
-%               } @plandata )
-%);
-%
-%foreach (qw( setuptax recurtax disabled )) {
-%  $cgi->param($_, '') unless defined $cgi->param($_);
-%}
-%
-%my @agents;
-%foreach ($cgi->param('agent_type')) {
-%  /^(\d+)$/;
-%  push @agents, $1 if $1;
-%}
-%$error = "At least one agent type must be specified."
-%  unless( scalar(@agents) ||
-%          $cgi->param('clone') && $cgi->param('clone') =~ /^\d+$/ ||
-%          !$pkgpart && $conf->exists('agent-defaultpkg')
-%        );
-%
-%my $new = new FS::part_pkg ( {
-%  map {
-%    $_ => scalar($cgi->param($_));
-%  } fields('part_pkg')
-%} );
-%
-%my $oldAutoCommit = $FS::UID::AutoCommit;
-%local $FS::UID::AutoCommit = 0;
-%
-%my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
-%              map { $_->svcpart }
-%              qsearch('part_svc', {} );
-%
-%my $custnum = '';
-%if ( $error ) {
-%
-% # fall through
-%
-%} elsif ( $cgi->param('taxclass') eq '(select)' ) {
-%
-%  $error = 'Must select a tax class';
-%
-%} elsif ( $pkgpart ) {
-%
-%  $error = $new->replace( $old,
-%                          pkg_svc     => \%pkg_svc,
-%                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
-%                        );
-%} else {
-%
-%  $error = $new->insert(  pkg_svc     => \%pkg_svc,
-%                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
-%                          cust_pkg    => $cgi->param('pkgnum'),
-%                          custnum_ref => \$custnum,
-%                       );
-%  $pkgpart = $new->pkgpart;
-%}
-%
-%unless ( $error || $conf->exists('agent_defaultpkg') ) {
-%  my $error = $new->process_m2m(
-%    'link_table'   => 'type_pkgs',
-%    'target_table' => 'agent_type',
-%    'params'       => \@agents,
-%  );
-%}
 %if ( $error ) {
 %  $dbh->rollback if $oldAutoCommit;
 %  $cgi->param('error', $error );
-%  print $cgi->redirect(popurl(2). "part_pkg.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "part_pkg.cgi?". $cgi->query_string ) %>
 %} elsif ( $custnum )  {
 %  $dbh->commit or die $dbh->errstr if $oldAutoCommit;
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 %} else {
 %  $dbh->commit or die $dbh->errstr if $oldAutoCommit;
-%  print $cgi->redirect(popurl(3). "browse/part_pkg.cgi");
+<% $cgi->redirect(popurl(3). "browse/part_pkg.cgi") %>
 %}
-%
-%
+<%init>
+
+#1.7
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+#1.9
+#die "access denied"
+#  unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions')
+#      || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions');
+
+my $dbh = dbh;
+my $conf = new FS::Conf;
+
+my $pkgpart = $cgi->param('pkgpart');
+
+my $old = qsearchs('part_pkg',{'pkgpart'=>$pkgpart}) if $pkgpart;
+
+tie my %plans, 'Tie::IxHash', %{ FS::part_pkg::plan_info() };
+my $href = $plans{$cgi->param('plan')}->{'fields'};
+
+#fixup plandata
+my $error;
+my $plandata = $cgi->param('plandata');
+my @plandata = split(',', $plandata);
+$cgi->param('plandata', 
+  join('', map { my $parser = sub { shift };
+                 $parser = $href->{$_}{parse} if exists($href->{$_}{parse});
+                 my $value = join(', ', &$parser($cgi->param($_)));
+                 my $check = $href->{$_}{check};
+                 if ( $check && ! &$check($value) ) {
+                   $value = join(', ', $cgi->param($_));
+                   $error ||= "Illegal ". ($href->{$_}{name}||$_). ": $value";
+                 }
+                 "$_=$value\n";
+               } @plandata )
+);
+
+foreach (qw( setuptax recurtax disabled )) {
+  $cgi->param($_, '') unless defined $cgi->param($_);
+}
+
+my @agents;
+foreach ($cgi->param('agent_type')) {
+  /^(\d+)$/;
+  push @agents, $1 if $1;
+}
+$error = "At least one agent type must be specified."
+  unless( scalar(@agents) ||
+          $cgi->param('clone') && $cgi->param('clone') =~ /^\d+$/ ||
+          !$pkgpart && $conf->exists('agent-defaultpkg')
+        );
+
+my $new = new FS::part_pkg ( {
+  map {
+    $_ => scalar($cgi->param($_));
+  } fields('part_pkg')
+} );
+
+my $oldAutoCommit = $FS::UID::AutoCommit;
+local $FS::UID::AutoCommit = 0;
+
+my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
+              map { $_->svcpart }
+              qsearch('part_svc', {} );
+
+my $custnum = '';
+if ( $error ) {
+
+ # fall through
+
+} elsif ( $cgi->param('taxclass') eq '(select)' ) {
+
+  $error = 'Must select a tax class';
+
+} elsif ( $pkgpart ) {
+
+  $error = $new->replace( $old,
+                          pkg_svc     => \%pkg_svc,
+                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
+                        );
+} else {
+
+  $error = $new->insert(  pkg_svc     => \%pkg_svc,
+                          primary_svc => scalar($cgi->param('pkg_svc_primary')),
+                          cust_pkg    => $cgi->param('pkgnum'),
+                          custnum_ref => \$custnum,
+                       );
+  $pkgpart = $new->pkgpart;
+}
+
+unless ( $error || $conf->exists('agent_defaultpkg') ) {
+  my $error = $new->process_m2m(
+    'link_table'   => 'type_pkgs',
+    'target_table' => 'agent_type',
+    'params'       => \@agents,
+  );
+}
+
+</%init>
 
diff --git a/httemplate/edit/process/part_referral.html b/httemplate/edit/process/part_referral.html
index 14c1b7001..40cbc97bf 100755
--- a/httemplate/edit/process/part_referral.html
+++ b/httemplate/edit/process/part_referral.html
@@ -3,3 +3,10 @@
                  'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit advertising sources')
+      || $FS::CurrentUser::CurrentUser->access_right('Edit global advertising sources');
+
+</%init>
diff --git a/httemplate/edit/process/part_svc.cgi b/httemplate/edit/process/part_svc.cgi
index 97abc5baf..65de3fc6c 100755
--- a/httemplate/edit/process/part_svc.cgi
+++ b/httemplate/edit/process/part_svc.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::part_svc::process', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/payment_gateway.html b/httemplate/edit/process/payment_gateway.html
index 0b7e31395..b16bc3d27 100644
--- a/httemplate/edit/process/payment_gateway.html
+++ b/httemplate/edit/process/payment_gateway.html
@@ -1,34 +1,35 @@
-%
-%
-%my $gatewaynum = $cgi->param('gatewaynum');
-%
-%my $old = qsearchs('payment_gateway',{'gatewaynum'=>$gatewaynum}) if $gatewaynum;
-%
-%my $new = new FS::payment_gateway ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('payment_gateway')
-%} );
-%
-%my @options = split(/\r?\n/, $cgi->param('gateway_options') );
-%pop @options
-%  if scalar(@options) % 2 && $options[-1] =~ /^\s*$/;
-%my %options = @options;
-%
-%my $error;
-%if ( $gatewaynum ) {
-%  $error=$new->replace($old, \%options);
-%} else {
-%  $error=$new->insert(\%options);
-%  $gatewaynum=$new->getfield('gatewaynum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "payment_gateway.html?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "payment_gateway.html?". $cgi->query_string ) %>
 %} else { 
-%  print $cgi->redirect(popurl(3). "browse/payment_gateway.html");
+<% $cgi->redirect(popurl(3). "browse/payment_gateway.html") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $gatewaynum = $cgi->param('gatewaynum');
+
+my $old = qsearchs('payment_gateway',{'gatewaynum'=>$gatewaynum}) if $gatewaynum;
+
+my $new = new FS::payment_gateway ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('payment_gateway')
+} );
+
+my @options = split(/\r?\n/, $cgi->param('gateway_options') );
+pop @options
+  if scalar(@options) % 2 && $options[-1] =~ /^\s*$/;
+my %options = @options;
+
+my $error;
+if ( $gatewaynum ) {
+  $error=$new->replace($old, \%options);
+} else {
+  $error=$new->insert(\%options);
+  $gatewaynum=$new->getfield('gatewaynum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/pkg_class.html b/httemplate/edit/process/pkg_class.html
index 183da805c..b196df3f7 100644
--- a/httemplate/edit/process/pkg_class.html
+++ b/httemplate/edit/process/pkg_class.html
@@ -3,3 +3,9 @@
                'viewall_dir' => 'browse',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/prepay_credit.cgi b/httemplate/edit/process/prepay_credit.cgi
index 518f79d86..24ce25608 100644
--- a/httemplate/edit/process/prepay_credit.cgi
+++ b/httemplate/edit/process/prepay_credit.cgi
@@ -36,8 +36,7 @@
 
 
 <% include("/elements/header.html", "$num prepaid cards generated".
-              ( $agent ? ' for '.$agent->agent : '' ),
-            menubar( 'Main menu' => popurl(3) )
+              ( $agent ? ' for '.$agent->agent : '' )
           )
 %>
 
@@ -60,4 +59,9 @@
 
 </BODY></HTML>
 % } 
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/quick-charge.cgi b/httemplate/edit/process/quick-charge.cgi
index 4a090f9de..3c7cac51d 100644
--- a/httemplate/edit/process/quick-charge.cgi
+++ b/httemplate/edit/process/quick-charge.cgi
@@ -1,46 +1,49 @@
-%
-%  my $error = '';
-%  my $param = $cgi->Vars;
-%
-%  my @description = ();
-%  for ( my $row = 0; exists($param->{"description$row"}); $row++ ) {
-%    push @description, $param->{"description$row"}
-%      if ($param->{"description$row"} =~ /\S/);
-%  }
-%
-%  $param->{"custnum"} =~ /^(\d+)$/
-%    or $error .= "Illegal customer number " . $param->{"custnum"} . "  ";
-%  my $custnum = $1;
-%
-%  $param->{"amount"} =~ /^\s*(\d+(\.\d{1,2})?)\s*$/
-%    or $error .= "Illegal amount " . $param->{"amount"} . "  ";
-%  my $amount = $1;
-%
-%  if ( $param->{'taxclass'} eq '(select)' ) {
-%    $error .= "Must select a tax class.  ";
-%  }
-%
-%  unless ( $error ) {
-%    my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
-%      or $error .= "Unknown customer number $custnum.  ";
-%
-%    $error ||= $cust_main->charge( {
-%      'amount'     => $amount,
-%      'pkg'        => scalar($cgi->param('pkg')),
-%      'taxclass'   => scalar($cgi->param('taxclass')),
-%      'additional' => \@description,
-%    } );
-%  }
-%
-%  if ( $error ) {
-%
-%    $cgi->param('error', $error );
-%    
+% if ( $error ) {
+%   $cgi->param('error', $error );
 <% $cgi->redirect($p.'quick-charge.html?'. $cgi->query_string) %>
-%
-% }
+% } else {
 <% header("One-time charge added") %>
   <SCRIPT TYPE="text/javascript">
     window.top.location.reload();
   </SCRIPT>
   </BODY></HTML>
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('One-time charge');
+
+my $error = '';
+my $param = $cgi->Vars;
+
+my @description = ();
+for ( my $row = 0; exists($param->{"description$row"}); $row++ ) {
+  push @description, $param->{"description$row"}
+    if ($param->{"description$row"} =~ /\S/);
+}
+
+$param->{"custnum"} =~ /^(\d+)$/
+  or $error .= "Illegal customer number " . $param->{"custnum"} . "  ";
+my $custnum = $1;
+
+$param->{"amount"} =~ /^\s*(\d+(\.\d{1,2})?)\s*$/
+  or $error .= "Illegal amount " . $param->{"amount"} . "  ";
+my $amount = $1;
+
+if ( $param->{'taxclass'} eq '(select)' ) {
+  $error .= "Must select a tax class.  ";
+}
+
+unless ( $error ) {
+  my $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
+    or $error .= "Unknown customer number $custnum.  ";
+
+  $error ||= $cust_main->charge( {
+    'amount'     => $amount,
+    'pkg'        => scalar($cgi->param('pkg')),
+    'taxclass'   => scalar($cgi->param('taxclass')),
+    'additional' => \@description,
+  } );
+}
+
+</%init>
diff --git a/httemplate/edit/process/quick-cust_pkg.cgi b/httemplate/edit/process/quick-cust_pkg.cgi
index 66d02e307..6b65653c2 100644
--- a/httemplate/edit/process/quick-cust_pkg.cgi
+++ b/httemplate/edit/process/quick-cust_pkg.cgi
@@ -1,17 +1,6 @@
-%#untaint custnum
-%$cgi->param('custnum') =~ /^(\d+)$/
-%  or die 'illegal custnum '. $cgi->param('custnum');
-%my $custnum = $1;
-%$cgi->param('pkgpart') =~ /^(\d+)$/
-%  or die 'illegal pkgpart '. $cgi->param('pkgpart');
-%my $pkgpart = $1;
-%
-%my @cust_pkg = ();
-%my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string );
+<% $cgi->redirect(popurl(2). 'misc/order_pkg.html?'. $cgi->query_string ) %>
 %} else {
 %  my $frag = "cust_pkg". $cust_pkg[0]->pkgnum;
 <% header('Package ordered') %>
@@ -25,3 +14,20 @@
 
   </BODY></HTML>
 %}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Order customer package');
+
+#untaint custnum
+$cgi->param('custnum') =~ /^(\d+)$/
+  or die 'illegal custnum '. $cgi->param('custnum');
+my $custnum = $1;
+$cgi->param('pkgpart') =~ /^(\d+)$/
+  or die 'illegal pkgpart '. $cgi->param('pkgpart');
+my $pkgpart = $1;
+
+my @cust_pkg = ();
+my $error = FS::cust_pkg::order($custnum, [ $pkgpart ], [], \@cust_pkg, [ $cgi->param('refnum') ] );
+
+</%init>
diff --git a/httemplate/edit/process/rate.cgi b/httemplate/edit/process/rate.cgi
index c81f883b7..48d9322ca 100755
--- a/httemplate/edit/process/rate.cgi
+++ b/httemplate/edit/process/rate.cgi
@@ -1,4 +1,9 @@
-%
-%  my $server = new FS::UI::Web::JSRPC 'FS::rate::process', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $server = new FS::UI::Web::JSRPC 'FS::rate::process', $cgi;
+
+</%init>
diff --git a/httemplate/edit/process/reason.html b/httemplate/edit/process/reason.html
index 55c1ea958..cb79ed254 100644
--- a/httemplate/edit/process/reason.html
+++ b/httemplate/edit/process/reason.html
@@ -4,3 +4,9 @@
 	                      $cgi->param('class') . '&',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/reason_type.html b/httemplate/edit/process/reason_type.html
index 4ccccaddd..3172b27c4 100644
--- a/httemplate/edit/process/reason_type.html
+++ b/httemplate/edit/process/reason_type.html
@@ -4,3 +4,9 @@
 	                         $cgi->param('class') . '&',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/process/reg_code.cgi b/httemplate/edit/process/reg_code.cgi
index d93bb55a2..c4327991d 100644
--- a/httemplate/edit/process/reg_code.cgi
+++ b/httemplate/edit/process/reg_code.cgi
@@ -1,50 +1,46 @@
-%
-%
-%$cgi->param('agentnum') =~ /^(\d+)$/
-%  or errorpage('illegal agentnum '. $cgi->param('agentnum'));
-%my $agentnum = $1;
-%my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
-%
-%my $error = '';
-%
-%my $num = 0;
-%if ( $cgi->param('num') =~ /^\s*(\d+)\s*$/ ) {
-%  $num = $1;
-%} else {
-%  $error = 'Illegal number of codes: '. $cgi->param('num');
-%}
-%
-%my @pkgparts = 
-%  map  { /^pkgpart(.*)$/; $1 }
-%  grep { $cgi->param($_) }
-%  grep { /^pkgpart/ }
-%  $cgi->param;
-%
-%$error ||= $agent->generate_reg_codes($num, \@pkgparts);
-%
 %unless ( ref($error) ) {
 %  $cgi->param('error'. $error );
-%
-<%
-  $cgi->redirect(popurl(3). "edit/reg_code.cgi?". $cgi->query_string )
-%>
+<% $cgi->redirect(popurl(3). "edit/reg_code.cgi?". $cgi->query_string ) %>
 % } else { 
 
-
 <% include("/elements/header.html","$num registration codes generated for ". $agent->agent, menubar(
-  'Main menu'       => popurl(3),
   'View all agents' => popurl(3). 'browse/agent.cgi',
 ) ) %>
 
 <PRE><FONT SIZE="+1">
 % foreach my $code ( @$error ) { 
-
   <% $code %>
 % } 
-
-
 </FONT></PRE>
 
-</BODY></HTML>
+<% include('/elements/footer.html') %>
 % } 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('agentnum') =~ /^(\d+)$/
+  or errorpage('illegal agentnum '. $cgi->param('agentnum'));
+my $agentnum = $1;
+my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
+
+my $error = '';
+
+my $num = 0;
+if ( $cgi->param('num') =~ /^\s*(\d+)\s*$/ ) {
+  $num = $1;
+} else {
+  $error = 'Illegal number of codes: '. $cgi->param('num');
+}
+
+my @pkgparts = 
+  map  { /^pkgpart(.*)$/; $1 }
+  grep { $cgi->param($_) }
+  grep { /^pkgpart/ }
+  $cgi->param;
+
+$error ||= $agent->generate_reg_codes($num, \@pkgparts);
+
+</%init>
 
diff --git a/httemplate/edit/process/router.cgi b/httemplate/edit/process/router.cgi
index c69114ea4..7e0baf782 100644
--- a/httemplate/edit/process/router.cgi
+++ b/httemplate/edit/process/router.cgi
@@ -1,5 +1,3 @@
-%
-%
 %local $FS::UID::AutoCommit=0;
 %
 %sub check {
@@ -64,5 +62,9 @@
 %dbh->commit or die dbh->errstr;
 %print $cgi->redirect(popurl(3). "browse/router.cgi");
 %
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
 
+</%init>
diff --git a/httemplate/edit/process/svc_Common.html b/httemplate/edit/process/svc_Common.html
index f5c869a12..cf5f01f71 100644
--- a/httemplate/edit/process/svc_Common.html
+++ b/httemplate/edit/process/svc_Common.html
@@ -1,13 +1,16 @@
+<% include( 'elements/svc_Common.html',
+              'table'    => $table,
+	      'redirect' => popurl(3)."view/svc_Common.html?svcdb=$table;svcnum=",
+	      'error_redirect' => popurl(3)."edit/svc_Common.html?svcdb=$table;",
+	  )
+%>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
 $cgi->param('svcdb') =~ /^(svc_\w+)$/ or die "unparsable svcdb";
 my $table = $1;
 require "FS/$table.pm";
 
 </%init>
-<% include( 'elements/svc_Common.html',
-              'table'    => $table,
-	      'redirect' => popurl(3)."view/svc_Common.html?svcdb=$table;svcnum=",
-	      'error_redirect' => popurl(3)."edit/svc_Common.html?svcdb=$table;",
-	  )
-%>
diff --git a/httemplate/edit/process/svc_acct.cgi b/httemplate/edit/process/svc_acct.cgi
index d9aac9fac..0a89e253c 100755
--- a/httemplate/edit/process/svc_acct.cgi
+++ b/httemplate/edit/process/svc_acct.cgi
@@ -1,63 +1,64 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_acct', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find account (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%#unmunge popnum
-%$cgi->param('popnum', (split(/:/, $cgi->param('popnum') ))[0] );
-%
-%#unmunge passwd
-%if ( $cgi->param('_password') eq '*HIDDEN*' ) {
-%  die "fatal: no previous account to recall hidden password from!" unless $old;
-%  $cgi->param('_password',$old->getfield('_password'));
-%}
-%
-%#unmunge usergroup
-%$cgi->param('usergroup', [ $cgi->param('radius_usergroup') ] );
-%
-%#unmunge bytecounts
-%foreach (map { $_,$_."_threshold" } qw( upbytes downbytes totalbytes )) {
-%  $cgi->param($_, FS::UI::bytecount::parse_bytecount($cgi->param($_)) );
-%}
-%
-%my %hash = $svcnum ? $old->hash : ();
-%map {
-%    $hash{$_} = scalar($cgi->param($_));
-%  #} qw(svcnum pkgnum svcpart username _password popnum uid gid finger dir
-%  #  shell quota slipip)
-%  } (fields('svc_acct'), qw ( pkgnum svcpart usergroup ));
-%my $new = new FS::svc_acct ( \%hash );
-%
-%my $error;
-%if ( $svcnum ) {
-%  foreach (grep { $old->$_ != $new->$_ } qw( seconds upbytes downbytes totalbytes )) {
-%    my %hash = map { $_ => $new->$_ } 
-%               grep { $new->$_ }
-%               qw( seconds upbytes downbytes totalbytes );
-%
-%    $error = $new->set_usage(\%hash);  #unoverlimit and trigger radius changes
-%    last;                              #once is enough
-%  }
-%  $error ||= $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_acct.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_acct.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_acct.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_acct.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_acct', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find account (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+#unmunge popnum
+$cgi->param('popnum', (split(/:/, $cgi->param('popnum') ))[0] );
+
+#unmunge passwd
+if ( $cgi->param('_password') eq '*HIDDEN*' ) {
+  die "fatal: no previous account to recall hidden password from!" unless $old;
+  $cgi->param('_password',$old->getfield('_password'));
+}
+
+#unmunge usergroup
+$cgi->param('usergroup', [ $cgi->param('radius_usergroup') ] );
+
+#unmunge bytecounts
+foreach (map { $_,$_."_threshold" } qw( upbytes downbytes totalbytes )) {
+  $cgi->param($_, FS::UI::bytecount::parse_bytecount($cgi->param($_)) );
+}
+
+my %hash = $svcnum ? $old->hash : ();
+map {
+    $hash{$_} = scalar($cgi->param($_));
+  #} qw(svcnum pkgnum svcpart username _password popnum uid gid finger dir
+  #  shell quota slipip)
+  } (fields('svc_acct'), qw ( pkgnum svcpart usergroup ));
+my $new = new FS::svc_acct ( \%hash );
+
+my $error;
+if ( $svcnum ) {
+  foreach (grep { $old->$_ != $new->$_ } qw( seconds upbytes downbytes totalbytes )) {
+    my %hash = map { $_ => $new->$_ } 
+               grep { $new->$_ }
+               qw( seconds upbytes downbytes totalbytes );
+
+    $error = $new->set_usage(\%hash);  #unoverlimit and trigger radius changes
+    last;                              #once is enough
+  }
+  $error ||= $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_acct_pop.cgi b/httemplate/edit/process/svc_acct_pop.cgi
index 9e9df7bf0..75b89c88f 100755
--- a/httemplate/edit/process/svc_acct_pop.cgi
+++ b/httemplate/edit/process/svc_acct_pop.cgi
@@ -1,29 +1,30 @@
-%
-%
-%my $popnum = $cgi->param('popnum');
-%
-%my $old = qsearchs('svc_acct_pop',{'popnum'=>$popnum}) if $popnum;
-%
-%my $new = new FS::svc_acct_pop ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  } fields('svc_acct_pop')
-%} );
-%
-%my $error = '';
-%if ( $popnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $popnum=$new->getfield('popnum');
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_acct_pop.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_acct_pop.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "browse/svc_acct_pop.cgi");
+<% $cgi->redirect(popurl(3). "browse/svc_acct_pop.cgi") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $popnum = $cgi->param('popnum');
+
+my $old = qsearchs('svc_acct_pop',{'popnum'=>$popnum}) if $popnum;
+
+my $new = new FS::svc_acct_pop ( {
+  map {
+    $_, scalar($cgi->param($_));
+  } fields('svc_acct_pop')
+} );
+
+my $error = '';
+if ( $popnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $popnum=$new->getfield('popnum');
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_broadband.cgi b/httemplate/edit/process/svc_broadband.cgi
index cf4604639..8600da349 100644
--- a/httemplate/edit/process/svc_broadband.cgi
+++ b/httemplate/edit/process/svc_broadband.cgi
@@ -1,37 +1,38 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_broadband', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find broadband service (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%my $new = new FS::svc_broadband ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_broadband'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
 %  $cgi->param('ip_addr', $new->ip_addr);
-%  print $cgi->redirect(popurl(2). "svc_broadband.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_broadband.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_broadband.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_broadband.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_broadband', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find broadband service (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+my $new = new FS::svc_broadband ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_broadband'), qw( pkgnum svcpart ) )
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_domain.cgi b/httemplate/edit/process/svc_domain.cgi
index 773143fe3..9993a879e 100755
--- a/httemplate/edit/process/svc_domain.cgi
+++ b/httemplate/edit/process/svc_domain.cgi
@@ -1,32 +1,33 @@
-%
-%
-%#remove this to actually test the domains!
-%$FS::svc_domain::whois_hack = 1;
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $new = new FS::svc_domain ( {
-%  map {
-%    $_, scalar($cgi->param($_));
-%  #} qw(svcnum pkgnum svcpart domain action purpose)
-%  } ( fields('svc_domain'), qw( pkgnum svcpart action purpose ) )
-%} );
-%
-%my $error = '';
-%if ($cgi->param('svcnum')) {
-%  $error="Can't modify a domain!";
-%} else {
-%  $error=$new->insert;
-%  $svcnum=$new->svcnum;
-%}
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_domain.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_domain.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+#remove this to actually test the domains!
+$FS::svc_domain::whois_hack = 1;
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $new = new FS::svc_domain ( {
+  map {
+    $_, scalar($cgi->param($_));
+  #} qw(svcnum pkgnum svcpart domain action purpose)
+  } ( fields('svc_domain'), qw( pkgnum svcpart action purpose ) )
+} );
+
+my $error = '';
+if ($cgi->param('svcnum')) {
+  $error="Can't modify a domain!";
+} else {
+  $error=$new->insert;
+  $svcnum=$new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/process/svc_external.cgi b/httemplate/edit/process/svc_external.cgi
index 97da6ba87..673e5a5a0 100755
--- a/httemplate/edit/process/svc_external.cgi
+++ b/httemplate/edit/process/svc_external.cgi
@@ -1,30 +1,31 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum =$1;
-%
-%my $old = qsearchs('svc_external',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::svc_external ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_external'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error = '';
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->getfield('svcnum');
-%} 
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_external.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_external.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_external.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_external.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum =$1;
+
+my $old = qsearchs('svc_external',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::svc_external ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_external'), qw( pkgnum svcpart ) )
+} );
+
+my $error = '';
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->getfield('svcnum');
+} 
 
+</%init>
diff --git a/httemplate/edit/process/svc_forward.cgi b/httemplate/edit/process/svc_forward.cgi
index 3205312f1..fffad84d6 100755
--- a/httemplate/edit/process/svc_forward.cgi
+++ b/httemplate/edit/process/svc_forward.cgi
@@ -1,30 +1,31 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum =$1;
-%
-%my $old = qsearchs('svc_forward',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::svc_forward ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_forward'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error = '';
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->getfield('svcnum');
-%} 
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_forward.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_forward.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_forward.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_forward.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum =$1;
+
+my $old = qsearchs('svc_forward',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::svc_forward ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_forward'), qw( pkgnum svcpart ) )
+} );
+
+my $error = '';
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->getfield('svcnum');
+} 
 
+</%init>
diff --git a/httemplate/edit/process/svc_phone.html b/httemplate/edit/process/svc_phone.html
index 44235de63..27a703cdf 100644
--- a/httemplate/edit/process/svc_phone.html
+++ b/httemplate/edit/process/svc_phone.html
@@ -2,3 +2,9 @@
                'table'    => 'svc_phone',
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+</%init>
diff --git a/httemplate/edit/process/svc_www.cgi b/httemplate/edit/process/svc_www.cgi
index e9a52aff2..f02d25305 100644
--- a/httemplate/edit/process/svc_www.cgi
+++ b/httemplate/edit/process/svc_www.cgi
@@ -1,37 +1,38 @@
-%
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum = $1;
-%
-%my $old;
-%if ( $svcnum ) {
-%  $old = qsearchs('svc_www', { 'svcnum' => $svcnum } )
-%    or die "fatal: can't find website (svcnum $svcnum)!";
-%} else {
-%  $old = '';
-%}
-%
-%my $new = new FS::svc_www ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  #} qw(svcnum pkgnum svcpart recnum usersvc)
-%  } ( fields('svc_www'), qw( pkgnum svcpart ) )
-%} );
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->svcnum;
-%}
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "svc_www.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "svc_www.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_www.cgi?" . $svcnum );
+<% $cgi->redirect(popurl(3). "view/svc_www.cgi?" . $svcnum ) %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum = $1;
+
+my $old;
+if ( $svcnum ) {
+  $old = qsearchs('svc_www', { 'svcnum' => $svcnum } )
+    or die "fatal: can't find website (svcnum $svcnum)!";
+} else {
+  $old = '';
+}
+
+my $new = new FS::svc_www ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  #} qw(svcnum pkgnum svcpart recnum usersvc)
+  } ( fields('svc_www'), qw( pkgnum svcpart ) )
+} );
+
+my $error;
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->svcnum;
+}
 
+</%init>
diff --git a/httemplate/edit/quick-charge.html b/httemplate/edit/quick-charge.html
index 92e0ae753..e8df37103 100644
--- a/httemplate/edit/quick-charge.html
+++ b/httemplate/edit/quick-charge.html
@@ -163,6 +163,9 @@ function validate_quick_charge () {
 </HTML>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('One-time charge');
+
 $cgi->param('custnum') =~ /^(\d+)$/ or die 'illegal custnum';
 my $custnum = $1;
 
diff --git a/httemplate/edit/rate.cgi b/httemplate/edit/rate.cgi
index 269b3b09a..4c0abfe01 100644
--- a/httemplate/edit/rate.cgi
+++ b/httemplate/edit/rate.cgi
@@ -1,5 +1,4 @@
 <% include("/elements/header.html","$action Rate plan", menubar(
-      'Main Menu' => $p,
       'View all rate plans' => "${p}browse/rate.cgi",
     ))
 %>
diff --git a/httemplate/edit/rate_region.cgi b/httemplate/edit/rate_region.cgi
index 47d1888e0..9dfcb3740 100644
--- a/httemplate/edit/rate_region.cgi
+++ b/httemplate/edit/rate_region.cgi
@@ -81,7 +81,7 @@
     </TD>
 
     <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
-      <INPUT TYPE="text" SIZE=5 NAME="min_included<%$n%>" VALUE="<% $cgi->param("min_included$n") || $rate_detail->min_included %>">
+      <INPUT TYPE="text" SIZE=5 NAME="min_included<%$n%>" VALUE="<% $cgi->param("min_included$n") || $rate_detail->min_included |h %>">
     </TD>
 
     <TD CLASS="grid" BGCOLOR="<% $bgcolor %>">
diff --git a/httemplate/edit/reason.html b/httemplate/edit/reason.html
index 512013ace..620a2ea15 100644
--- a/httemplate/edit/reason.html
+++ b/httemplate/edit/reason.html
@@ -42,3 +42,9 @@
                  'viewall_url' => $p . "browse/reason.html?class=$class",
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+</%init>
diff --git a/httemplate/edit/reason_type.html b/httemplate/edit/reason_type.html
index 056544e5d..ea5650ec3 100644
--- a/httemplate/edit/reason_type.html
+++ b/httemplate/edit/reason_type.html
@@ -1,9 +1,3 @@
-%
-%$cgi->param('class') =~ /^(\w)$/;
-%my $class = $1;
-%
-%my $classname = $FS::reason_type::class_name{$class};
-%
 <% include( 'elements/edit.html',
                  'name'   => $classname . ' Reason Type',
                  'table'  => 'reason_type',
@@ -22,3 +16,14 @@
                  'new_hashref_callback' => sub {{ 'class' => $class }},
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+$cgi->param('class') =~ /^(\w)$/;
+my $class = $1;
+
+my $classname = $FS::reason_type::class_name{$class};
+
+</%init>
diff --git a/httemplate/edit/reg_code.cgi b/httemplate/edit/reg_code.cgi
index 4ad39051a..e57ac09bf 100644
--- a/httemplate/edit/reg_code.cgi
+++ b/httemplate/edit/reg_code.cgi
@@ -1,16 +1,4 @@
-%
-%my $agentnum = $cgi->param('agentnum');
-%$agentnum =~ /^(\d+)$/ or errorpage("illegal agentnum $agentnum");
-%$agentnum = $1;
-%my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
-%
-%
-
-
-<% include("/elements/header.html",'Generate registration codes for '. $agent->agent, menubar(
-      'Main Menu' => $p,
-    ))
-%>
+<% include('/elements/header.html', 'Generate registration codes for '. $agent->agent) %>
 
 <% include('/elements/error.html') %>
 
@@ -39,5 +27,18 @@ registration codes for <B><% $agent->agent %></B> allowing the following package
 <BR>
 <INPUT TYPE="submit" NAME="submit" VALUE="Generate">
 
-</FORM></BODY></HTML>
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $agentnum = $cgi->param('agentnum');
+$agentnum =~ /^(\d+)$/ or errorpage("illegal agentnum $agentnum");
+$agentnum = $1;
+my $agent = qsearchs('agent', { 'agentnum' => $agentnum } );
 
+</%init>
diff --git a/httemplate/edit/router.cgi b/httemplate/edit/router.cgi
index 8b01035d5..c08e54449 100755
--- a/httemplate/edit/router.cgi
+++ b/httemplate/edit/router.cgi
@@ -1,27 +1,7 @@
-<HTML><BODY>
-%
-%
-%my $router;
-%if ( $cgi->keywords ) {
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $router = qsearchs('router', { routernum => $1 }) 
-%      or print $cgi->redirect(popurl(2)."browse/router.cgi") ;
-%} else {
-%  $router = new FS::router ( {
-%    map { $_, scalar($cgi->param($_)) } fields('router')
-%  } );
-%}
-%
-%my $routernum = $router->routernum;
-%my $action = $routernum ? 'Edit' : 'Add';
-%
-%print header("$action Router", menubar(
-%  'Main Menu' => "$p",
-%  'View all routers' => "${p}browse/router.cgi",
-%));
-%
-%my $p3 = popurl(3);
+<% include('/elements/header.html', "$action Router", menubar(
+     'View all routers' => "${p}browse/router.cgi",
+   ))
+%>
 
 <% include('/elements/error.html') %>
 
@@ -70,5 +50,29 @@ Custom fields:
 
   <BR><BR><INPUT TYPE="submit" VALUE="Apply changes">
   </FORM>
-</BODY></HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $router;
+if ( $cgi->keywords ) {
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $router = qsearchs('router', { routernum => $1 }) 
+      or print $cgi->redirect(popurl(2)."browse/router.cgi") ;
+} else {
+  $router = new FS::router ( {
+    map { $_, scalar($cgi->param($_)) } fields('router')
+  } );
+}
+
+my $routernum = $router->routernum;
+my $action = $routernum ? 'Edit' : 'Add';
+
+my $p3 = popurl(3);
+
+</%init>
diff --git a/httemplate/edit/svc_Common.html b/httemplate/edit/svc_Common.html
index 6393f9ebc..6666d9720 100644
--- a/httemplate/edit/svc_Common.html
+++ b/httemplate/edit/svc_Common.html
@@ -1,5 +1,14 @@
+<% include('elements/svc_Common.html',
+             'table'        => $table,
+	     'post_url'     => popurl(1). "process/svc_Common.html",
+	     %opt,
+	  )
+%>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
 # false laziness w/view/svc_Common.html
 
 $cgi->param('svcdb') =~ /^(svc_\w+)$/ or die "unparsable svcdb";
@@ -22,9 +31,3 @@ if ( UNIVERSAL::can("FS::$table", 'table_info') ) {
 }
 
 </%init>
-<% include('elements/svc_Common.html',
-             'table'        => $table,
-	     'post_url'     => popurl(1). "process/svc_Common.html",
-	     %opt,
-	  )
-%>
diff --git a/httemplate/edit/svc_acct.cgi b/httemplate/edit/svc_acct.cgi
index 5bf3f0dd1..58283ef54 100755
--- a/httemplate/edit/svc_acct.cgi
+++ b/httemplate/edit/svc_acct.cgi
@@ -1,132 +1,4 @@
-%
-%
-%my $conf = new FS::Conf;
-%my @shells = $conf->config('shells');
-%
-%my $curuser = $FS::CurrentUser::CurrentUser;
-%
-%my($svcnum, $pkgnum, $svcpart, $part_svc, $svc_acct, @groups);
-%if ( $cgi->param('error') ) {
-%
-%  $svc_acct = new FS::svc_acct ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_acct')
-%  } );
-%  $svcnum = $svc_acct->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $part_svc = qsearchs( 'part_svc', { 'svcpart' => $svcpart } );
-%  die "No part_svc entry for svcpart $svcpart!" unless $part_svc;
-%  @groups = $cgi->param('radius_usergroup');
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%    $svc_acct = new FS::svc_acct({svcpart => $svcpart}); 
-%
-%    $svcnum='';
-%
-%} else { #editing
-%
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_acct=qsearchs('svc_acct',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_acct) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%
-%  $part_svc = qsearchs( 'part_svc', { 'svcpart' => $svcpart } );
-%  die "No part_svc entry for svcpart $svcpart!" unless $part_svc;
-%
-%  @groups = $svc_acct->radius_groups;
-%
-%}
-%
-%my( $cust_pkg, $cust_main ) = ( '', '' );
-%if ( $pkgnum ) {
-%  $cust_pkg = qsearchs('cust_pkg', { 'pkgnum' => $pkgnum } );
-%  $cust_main = $cust_pkg->cust_main;
-%}
-%
-%unless ( $svcnum || $cgi->param('error') ) { #adding
-%
-%  #set gecos
-%  if ($cust_main) {
-%    unless ( $part_svc->part_svc_column('uid')->columnflag eq 'F' ) {
-%      $svc_acct->setfield('finger',
-%        $cust_main->getfield('first') . " " . $cust_main->getfield('last')
-%      );
-%    }
-%  }
-%
-%  $svc_acct->set_default_and_fixed( {
-%    #false laziness w/svc-acct::_fieldhandlers
-%    'usergroup' => sub { 
-%                         my( $self, $groups ) = @_;
-%                         if ( ref($groups) eq 'ARRAY' ) {
-%                           @groups = @$groups;
-%                           $groups;
-%                         } elsif ( length($groups) ) {
-%                           @groups = split(/\s*,\s*/, $groups);
-%                           [ @groups ];
-%                         } else {
-%                           @groups = ();
-%                           [];
-%                         }
-%                       }
-%  } );
-%
-%}
-%
-%#fixed radius groups always override & display
-%if ( $part_svc->part_svc_column('usergroup')->columnflag eq 'F' ) {
-%  @groups = split(',', $part_svc->part_svc_column('usergroup')->columnvalue);
-%}
-%
-%my $action = $svcnum ? 'Edit' : 'Add';
-%
-%my $svc = $part_svc->getfield('svc');
-%
-%my $otaker = getotaker;
-%
-%my $username = $svc_acct->username;
-%my $password;
-%if ( $svc_acct->_password ) {
-%  if ( $conf->exists('showpasswords') || ! $svcnum ) {
-%    $password = $svc_acct->_password;
-%  } else {
-%    $password = "*HIDDEN*";
-%  }
-%} else {
-%  $password = '';
-%}
-%
-%my $ulen = 
-%  $conf->exists('usernamemax')
-%  ? $conf->config('usernamemax')
-%  : dbdef->table('svc_acct')->column('username')->length;
-%my $ulen2 = $ulen+2;
-%
-%my $pmax = $conf->config('passwordmax') || 8;
-%my $pmax2 = $pmax+2;
-%
-%my $p1 = popurl(1);
-%
-%
-
-
-<% include("/elements/header.html","$action $svc account") %>
+<% include('/elements/header.html', "$action $svc account") %>
 
 <% include('/elements/error.html') %>
 
@@ -445,4 +317,136 @@ Service # <% $svcnum ? "<B>$svcnum</B>" : " (NEW)" %><BR>
 
 <INPUT TYPE="submit" VALUE="Submit">
 
-</FORM></BODY></HTML>
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+my $conf = new FS::Conf;
+my @shells = $conf->config('shells');
+
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+my($svcnum, $pkgnum, $svcpart, $part_svc, $svc_acct, @groups);
+if ( $cgi->param('error') ) {
+
+  $svc_acct = new FS::svc_acct ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_acct')
+  } );
+  $svcnum = $svc_acct->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $part_svc = qsearchs( 'part_svc', { 'svcpart' => $svcpart } );
+  die "No part_svc entry for svcpart $svcpart!" unless $part_svc;
+  @groups = $cgi->param('radius_usergroup');
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+    $svc_acct = new FS::svc_acct({svcpart => $svcpart}); 
+
+    $svcnum='';
+
+} else { #editing
+
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_acct=qsearchs('svc_acct',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_acct) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+
+  $part_svc = qsearchs( 'part_svc', { 'svcpart' => $svcpart } );
+  die "No part_svc entry for svcpart $svcpart!" unless $part_svc;
+
+  @groups = $svc_acct->radius_groups;
+
+}
+
+my( $cust_pkg, $cust_main ) = ( '', '' );
+if ( $pkgnum ) {
+  $cust_pkg = qsearchs('cust_pkg', { 'pkgnum' => $pkgnum } );
+  $cust_main = $cust_pkg->cust_main;
+}
+
+unless ( $svcnum || $cgi->param('error') ) { #adding
+
+  #set gecos
+  if ($cust_main) {
+    unless ( $part_svc->part_svc_column('uid')->columnflag eq 'F' ) {
+      $svc_acct->setfield('finger',
+        $cust_main->getfield('first') . " " . $cust_main->getfield('last')
+      );
+    }
+  }
+
+  $svc_acct->set_default_and_fixed( {
+    #false laziness w/svc-acct::_fieldhandlers
+    'usergroup' => sub { 
+                         my( $self, $groups ) = @_;
+                         if ( ref($groups) eq 'ARRAY' ) {
+                           @groups = @$groups;
+                           $groups;
+                         } elsif ( length($groups) ) {
+                           @groups = split(/\s*,\s*/, $groups);
+                           [ @groups ];
+                         } else {
+                           @groups = ();
+                           [];
+                         }
+                       }
+  } );
+
+}
+
+#fixed radius groups always override & display
+if ( $part_svc->part_svc_column('usergroup')->columnflag eq 'F' ) {
+  @groups = split(',', $part_svc->part_svc_column('usergroup')->columnvalue);
+}
+
+my $action = $svcnum ? 'Edit' : 'Add';
+
+my $svc = $part_svc->getfield('svc');
+
+my $otaker = getotaker;
+
+my $username = $svc_acct->username;
+my $password;
+if ( $svc_acct->_password ) {
+  if ( $conf->exists('showpasswords') || ! $svcnum ) {
+    $password = $svc_acct->_password;
+  } else {
+    $password = "*HIDDEN*";
+  }
+} else {
+  $password = '';
+}
+
+my $ulen = 
+  $conf->exists('usernamemax')
+  ? $conf->config('usernamemax')
+  : dbdef->table('svc_acct')->column('username')->length;
+my $ulen2 = $ulen+2;
+
+my $pmax = $conf->config('passwordmax') || 8;
+my $pmax2 = $pmax+2;
+
+my $p1 = popurl(1);
+
+</%init>
diff --git a/httemplate/edit/svc_acct_pop.cgi b/httemplate/edit/svc_acct_pop.cgi
index 641aa0378..3c16a1f95 100755
--- a/httemplate/edit/svc_acct_pop.cgi
+++ b/httemplate/edit/svc_acct_pop.cgi
@@ -1,57 +1,50 @@
-<!-- mason kludge -->
-%
-%
-%my $svc_acct_pop;
-%if ( $cgi->param('error') ) {
-%  $svc_acct_pop = new FS::svc_acct_pop ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_acct_pop')
-%  } );
-%} elsif ( $cgi->keywords ) { #editing
-%  my($query)=$cgi->keywords;
-%  $query =~ /^(\d+)$/;
-%  $svc_acct_pop=qsearchs('svc_acct_pop',{'popnum'=>$1});
-%} else { #adding
-%  $svc_acct_pop = new FS::svc_acct_pop {};
-%}
-%my $action = $svc_acct_pop->popnum ? 'Edit' : 'Add';
-%my $hashref = $svc_acct_pop->hashref;
-%
-%my $p1 = popurl(1);
-%print header("$action Access Number", menubar(
-%  'Main Menu' => popurl(2),
-%  'View all Access Numbers' => popurl(2). "browse/svc_acct_pop.cgi",
-%));
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print qq!<FORM ACTION="${p1}process/svc_acct_pop.cgi" METHOD=POST>!;
-%
-%#display
-%
-%print qq!<INPUT TYPE="hidden" NAME="popnum" VALUE="$hashref->{popnum}">!,
-%      "POP #", $hashref->{popnum} ? $hashref->{popnum} : "(NEW)";
-%
-%print <<END;
-%<PRE>
-%City      <INPUT TYPE="text" NAME="city" SIZE=32 VALUE="$hashref->{city}">
-%State     <INPUT TYPE="text" NAME="state" SIZE=16 MAXLENGTH=16 VALUE="$hashref->{state}">
-%Area Code <INPUT TYPE="text" NAME="ac" SIZE=4 MAXLENGTH=3 VALUE="$hashref->{ac}">
-%Exchange  <INPUT TYPE="text" NAME="exch" SIZE=4 MAXLENGTH=3 VALUE="$hashref->{exch}">
-%Local     <INPUT TYPE="text" NAME="loc" SIZE=5 MAXLENGTH=4 VALUE="$hashref->{loc}">
-%</PRE>
-%END
-%
-%print qq!<BR><INPUT TYPE="submit" VALUE="!,
-%      $hashref->{popnum} ? "Apply changes" : "Add Access Number",
-%      qq!">!;
-%
-%print <<END;
-%    </FORM>
-%  </BODY>
-%</HTML>
-%END
-%
-%
+<% include('/elements/header.html', "$action Access Number", menubar(
+     'View all Access Numbers' => popurl(2). "browse/svc_acct_pop.cgi",
+   ))
+%>
 
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<%$p1%>process/svc_acct_pop.cgi" METHOD=POST>
+
+<INPUT TYPE="hidden" NAME="popnum" VALUE="<% $hashref->{popnum} %>">
+Access Number #<% $hashref->{popnum} ? $hashref->{popnum} : "(NEW)" %>
+
+<PRE>
+City      <INPUT TYPE="text" NAME="city" SIZE=32 VALUE="<% $hashref->{city} %>">
+State     <INPUT TYPE="text" NAME="state" SIZE=16 MAXLENGTH=16 VALUE="<% $hashref->{state} %>">
+Area Code <INPUT TYPE="text" NAME="ac" SIZE=4 MAXLENGTH=3 VALUE="<% $hashref->{ac} %>">
+Exchange  <INPUT TYPE="text" NAME="exch" SIZE=4 MAXLENGTH=3 VALUE="<% $hashref->{exch} %>">
+Local     <INPUT TYPE="text" NAME="loc" SIZE=5 MAXLENGTH=4 VALUE="<% $hashref->{loc} %>">
+</PRE>
+
+<BR>
+<INPUT TYPE="submit" VALUE="<% $hashref->{popnum} ? "Apply changes" : "Add Access Number" %>">
+
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+my $svc_acct_pop;
+if ( $cgi->param('error') ) {
+  $svc_acct_pop = new FS::svc_acct_pop ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_acct_pop')
+  } );
+} elsif ( $cgi->keywords ) { #editing
+  my($query)=$cgi->keywords;
+  $query =~ /^(\d+)$/;
+  $svc_acct_pop=qsearchs('svc_acct_pop',{'popnum'=>$1});
+} else { #adding
+  $svc_acct_pop = new FS::svc_acct_pop {};
+}
+my $action = $svc_acct_pop->popnum ? 'Edit' : 'Add';
+my $hashref = $svc_acct_pop->hashref;
+
+my $p1 = popurl(1);
+
+</%init>
diff --git a/httemplate/edit/svc_broadband.cgi b/httemplate/edit/svc_broadband.cgi
index a1580ce01..c2fb58dda 100644
--- a/httemplate/edit/svc_broadband.cgi
+++ b/httemplate/edit/svc_broadband.cgi
@@ -1,91 +1,4 @@
-%# If it's stupid but it works, it's still stupid.
-%#  -Kristian
-%
-%use HTML::Widgets::SelectLayers;
-%use Tie::IxHash;
-%
-%my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_broadband );
-%if ( $cgi->param('error') ) {
-%
-%  $svc_broadband = new FS::svc_broadband ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_broadband'), qw(svcpart)
-%  } );
-%  $svcnum = $svc_broadband->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $svc_broadband->svcpart;
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%  $svc_broadband = new FS::svc_broadband({ svcpart => $svcpart });
-%
-%  $svcnum='';
-%
-%  $svc_broadband->set_default_and_fixed;
-%
-%} else { #editing
-%
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_broadband=qsearchs('svc_broadband',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_broadband) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%  
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%}
-%my $action = $svc_broadband->svcnum ? 'Edit' : 'Add';
-%
-%if ($pkgnum) {
-%
-%  #Nothing?
-%
-%} elsif ( $action eq 'Edit' ) {
-%
-%  #Nothing?
-%
-%} else {
-%  die "\$action eq Add, but \$pkgnum is null!\n";
-%}
-%
-%my $p1 = popurl(1);
-%
-%my ($ip_addr, $speed_up, $speed_down, $blocknum, $mac_addr,
-%    $latitude, $longitude, $altitude, $vlan_profile, $auth_key,
-%    $description) =
-%    ($svc_broadband->ip_addr,
-%     $svc_broadband->speed_up,
-%     $svc_broadband->speed_down,
-%     $svc_broadband->blocknum,
-%     $svc_broadband->mac_addr,
-%     $svc_broadband->latitude,
-%     $svc_broadband->longitude,
-%     $svc_broadband->altitude,
-%     $svc_broadband->vlan_profile,
-%     $svc_broadband->auth_key,
-%     $svc_broadband->description,
-%    );
-%
-%
-
-
-<% include("/elements/header.html","Broadband Service $action", '') %>
+<% include('/elements/header.html', "Broadband Service $action") %>
 
 <% include('/elements/error.html') %>
 
@@ -246,6 +159,96 @@ Service #<B><%$svcnum ? $svcnum : "(NEW)"%></B><BR><BR>
   <BR>
   <INPUT TYPE="submit" NAME="submit" VALUE="Submit">
 </FORM>
-</BODY>
-</HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+# If it's stupid but it works, it's still stupid.
+#  -Kristian
+
+use HTML::Widgets::SelectLayers;
+use Tie::IxHash;
+
+my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_broadband );
+if ( $cgi->param('error') ) {
+
+  $svc_broadband = new FS::svc_broadband ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_broadband'), qw(svcpart)
+  } );
+  $svcnum = $svc_broadband->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $svc_broadband->svcpart;
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+  $svc_broadband = new FS::svc_broadband({ svcpart => $svcpart });
+
+  $svcnum='';
+
+  $svc_broadband->set_default_and_fixed;
+
+} else { #editing
+
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_broadband=qsearchs('svc_broadband',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_broadband) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+  
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+}
+my $action = $svc_broadband->svcnum ? 'Edit' : 'Add';
+
+if ($pkgnum) {
+
+  #Nothing?
+
+} elsif ( $action eq 'Edit' ) {
+
+  #Nothing?
+
+} else {
+  die "\$action eq Add, but \$pkgnum is null!\n";
+}
+
+my $p1 = popurl(1);
+
+my ($ip_addr, $speed_up, $speed_down, $blocknum, $mac_addr,
+    $latitude, $longitude, $altitude, $vlan_profile, $auth_key,
+    $description) =
+    ($svc_broadband->ip_addr,
+     $svc_broadband->speed_up,
+     $svc_broadband->speed_down,
+     $svc_broadband->blocknum,
+     $svc_broadband->mac_addr,
+     $svc_broadband->latitude,
+     $svc_broadband->longitude,
+     $svc_broadband->altitude,
+     $svc_broadband->vlan_profile,
+     $svc_broadband->auth_key,
+     $svc_broadband->description,
+    );
+
+</%init>
diff --git a/httemplate/edit/svc_domain.cgi b/httemplate/edit/svc_domain.cgi
index 60c67a005..56ba604bf 100755
--- a/httemplate/edit/svc_domain.cgi
+++ b/httemplate/edit/svc_domain.cgi
@@ -1,67 +1,3 @@
-%my($svcnum, $pkgnum, $svcpart, $kludge_action, $purpose, $part_svc,
-%   $svc_domain);
-%if ( $cgi->param('error') ) {
-%
-%  $svc_domain = new FS::svc_domain ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
-%  } );
-%  $svcnum = $svc_domain->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $kludge_action = $cgi->param('action');
-%  $purpose = $cgi->param('purpose');
-%  $part_svc = qsearchs('part_svc', { 'svcpart' => $svcpart } );
-%  die "No part_svc entry!" unless $part_svc;
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%  $svc_domain = new FS::svc_domain({});
-%
-%  $svcnum='';
-%
-%  $svc_domain->set_default_and_fixed;
-%
-%} else { #editing
-%
-%  $kludge_action = '';
-%  $purpose = '';
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_domain) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%}
-%my $action = $svcnum ? 'Edit' : 'Add';
-%
-%my $svc = $part_svc->getfield('svc');
-%
-%my $otaker = getotaker;
-%
-%my $domain = $svc_domain->domain;
-%
-%my $p1 = popurl(1);
-%
-%
-
-
 <% include('/elements/header.html', "$action $svc", '') %>
 
 <% include('/elements/error.html') %>
@@ -85,3 +21,71 @@
 </FORM>
 
 <% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+my($svcnum, $pkgnum, $svcpart, $kludge_action, $purpose, $part_svc,
+   $svc_domain);
+if ( $cgi->param('error') ) {
+
+  $svc_domain = new FS::svc_domain ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
+  } );
+  $svcnum = $svc_domain->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $kludge_action = $cgi->param('action');
+  $purpose = $cgi->param('purpose');
+  $part_svc = qsearchs('part_svc', { 'svcpart' => $svcpart } );
+  die "No part_svc entry!" unless $part_svc;
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+  $svc_domain = new FS::svc_domain({});
+
+  $svcnum='';
+
+  $svc_domain->set_default_and_fixed;
+
+} else { #editing
+
+  $kludge_action = '';
+  $purpose = '';
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_domain) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+}
+my $action = $svcnum ? 'Edit' : 'Add';
+
+my $svc = $part_svc->getfield('svc');
+
+my $otaker = getotaker;
+
+my $domain = $svc_domain->domain;
+
+my $p1 = popurl(1);
+
+</%init>
diff --git a/httemplate/edit/svc_external.cgi b/httemplate/edit/svc_external.cgi
index 393e71c38..0df842b21 100644
--- a/httemplate/edit/svc_external.cgi
+++ b/httemplate/edit/svc_external.cgi
@@ -1,99 +1,102 @@
-%my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_external );
-%if ( $cgi->param('error') ) {
-%
-%  $svc_external = new FS::svc_external ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_external')
-%  } );
-%  $svcnum = $svc_external->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%  $svc_external = new FS::svc_external { svcpart => $svcpart };
-%
-%  $svcnum='';
-%
-%  $svc_external->set_default_and_fixed;
-%
-%} else { #adding
-%
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_external=qsearchs('svc_external',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_external) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%  
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%}
-%my $action = $svc_external->svcnum ? 'Edit' : 'Add';
-%
-%my $p1 = popurl(1);
-%print header("External service $action", '');
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print qq!<FORM ACTION="${p1}process/svc_external.cgi" METHOD=POST>!;
-%
-%#display
-% 
-%
-%#svcnum
-%print qq!<INPUT TYPE="hidden" NAME="svcnum" VALUE="$svcnum">!;
-%print qq!Service #<B>!, $svcnum ? $svcnum : "(NEW)", "</B><BR><BR>";
-%
-%#pkgnum
-%print qq!<INPUT TYPE="hidden" NAME="pkgnum" VALUE="$pkgnum">!;
-% 
-%#svcpart
-%print qq!<INPUT TYPE="hidden" NAME="svcpart" VALUE="$svcpart">!;
-%
-%my($id,$title)=(
-%  $svc_external->id,
-%  $svc_external->title,
-%);
-%
-%print &ntable("#cccccc",2),
-%      '<TR><TD ALIGN="right">External ID</TD><TD>'.
-%      qq!<INPUT TYPE="text" NAME="id" VALUE="$id">!.
-%      '</TD></TR>'.
-%      '<TR><TD ALIGN="right">Title</TD><TD>'.
-%      qq!<INPUT TYPE="text" NAME="title" VALUE="$title">!.
-%      '</TD></TR>';
-%
-%foreach my $field ($svc_external->virtual_fields) {
-%  if ( $part_svc->part_svc_column($field)->columnflag ne 'F' ) {
-%    # If the flag is X, it won't even show up in $svc_acct->virtual_fields.
-%    print $svc_external->pvf($field)->widget('HTML', 'edit', 
-%        $svc_external->getfield($field));
-%  }
-%}
-%
-%
+<% include('/elements/header.html', "External service $action") %>
+
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<%$p1%>process/svc_external.cgi" METHOD=POST>
+
+<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum %>">
+Service #<B><% $svcnum ? $svcnum : "(NEW)" %></B>
+<BR><BR>
+
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
+
+<INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
+
+% my $id    = $svc_external->id;
+% my $title = $svc_external->title;
+%
+<% &ntable("#cccccc",2) %>
+  <TR>
+    <TD ALIGN="right">External ID</TD>
+    <TD><INPUT TYPE="text" NAME="id" VALUE="<% $id %>"></TD>
+  </TR>
+  <TR>
+    <TD ALIGN="right">Title</TD>
+    <TD><INPUT TYPE="text" NAME="title" VALUE="<% $title %>"></TD>
+  </TR>
+
+% foreach my $field ($svc_external->virtual_fields) {
+%   if ( $part_svc->part_svc_column($field)->columnflag ne 'F' ) {
+%     # If the flag is X, it won't even show up in $svc_acct->virtual_fields.
+      <% $svc_external->pvf($field)->widget( 'HTML',
+                                             'edit', 
+                                             $svc_external->getfield($field)
+                                           )
+      %>
+%   }
+% }
+
+</TABLE>
+<BR>
+
+<INPUT TYPE="submit" VALUE="Submit">
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_external );
+if ( $cgi->param('error') ) {
+
+  $svc_external = new FS::svc_external ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_external')
+  } );
+  $svcnum = $svc_external->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+  $svc_external = new FS::svc_external { svcpart => $svcpart };
+
+  $svcnum='';
+
+  $svc_external->set_default_and_fixed;
+
+} else { #adding
+
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_external=qsearchs('svc_external',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_external) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+  
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
 
+}
+my $action = $svc_external->svcnum ? 'Edit' : 'Add';
 
-</TABLE><BR><INPUT TYPE="submit" VALUE="Submit">
-    </FORM>
-  </BODY>
-</HTML>
+my $p1 = popurl(1);
 
+</%init>
diff --git a/httemplate/edit/svc_forward.cgi b/httemplate/edit/svc_forward.cgi
index c9159b3e1..96a00a5aa 100755
--- a/httemplate/edit/svc_forward.cgi
+++ b/httemplate/edit/svc_forward.cgi
@@ -1,111 +1,4 @@
-<!-- mason kludge -->
-%
-%
-%my $conf = new FS::Conf;
-%
-%my($svcnum, $pkgnum, $svcpart, $part_svc, $svc_forward);
-%if ( $cgi->param('error') ) {
-%  $svc_forward = new FS::svc_forward ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_forward')
-%  } );
-%  $svcnum = $svc_forward->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%  $svc_forward = new FS::svc_forward({});
-%
-%  $svcnum='';
-%
-%  $svc_forward->set_default_and_fixed;
-%
-%} else { #editing
-%
-%  my($query) = $cgi->keywords;
-%
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_forward=qsearchs('svc_forward',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_forward) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%  
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%}
-%my $action = $svc_forward->svcnum ? 'Edit' : 'Add';
-%
-%my %email;
-%
-%#starting with those currently attached
-%foreach my $method (qw( srcsvc_acct dstsvc_acct )) {
-%  my $svc_acct = $svc_forward->$method();
-%  $email{$svc_acct->svcnum} = $svc_acct->email if $svc_acct;
-%}
-%
-%if ($pkgnum) {
-%
-%  #find all possible user svcnums (and emails)
-%
-%  #and including the rest for this customer
-%  my($u_part_svc,@u_acct_svcparts);
-%  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
-%    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
-%  }
-%
-%  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%  my($custnum)=$cust_pkg->getfield('custnum');
-%  my($i_cust_pkg);
-%  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
-%    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
-%    my($acct_svcpart);
-%    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
-%                                              #record(s) in cust_svc ( for this
-%                                              #pkgnum ! )
-%      foreach my $i_cust_svc (
-%        qsearch( 'cust_svc', { 'pkgnum'  => $cust_pkgnum,
-%                               'svcpart' => $acct_svcpart } )
-%      ) {
-%        my $svc_acct =
-%          qsearchs( 'svc_acct', { 'svcnum' => $i_cust_svc->svcnum } );
-%        $email{$svc_acct->svcnum} = $svc_acct->email;
-%      }  
-%    }
-%  }
-%
-%} elsif ( $action eq 'Add' ) {
-%  die "\$action eq Add, but \$pkgnum is null!\n";
-%}
-%
-%my($srcsvc,$dstsvc,$dst)=(
-%  $svc_forward->srcsvc,
-%  $svc_forward->dstsvc,
-%  $svc_forward->dst,
-%);
-%my $src = $svc_forward->dbdef_table->column('src') ? $svc_forward->src : '';
-%
-%#display
-%
-%
-
-
-<% include("/elements/header.html","Mail Forward $action") %>
+<% include('/elements/header.html', "Mail Forward $action") %>
 
 <% include('/elements/error.html') %>
 
@@ -172,5 +65,111 @@ function dstchanged(what) {
     </TABLE>
 <BR><INPUT TYPE="submit" VALUE="Submit">
 </FORM>
-  </BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+my $conf = new FS::Conf;
+
+my($svcnum, $pkgnum, $svcpart, $part_svc, $svc_forward);
+if ( $cgi->param('error') ) {
+  $svc_forward = new FS::svc_forward ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_forward')
+  } );
+  $svcnum = $svc_forward->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+  $svc_forward = new FS::svc_forward({});
+
+  $svcnum='';
+
+  $svc_forward->set_default_and_fixed;
+
+} else { #editing
+
+  my($query) = $cgi->keywords;
+
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_forward=qsearchs('svc_forward',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_forward) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+  
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+}
+my $action = $svc_forward->svcnum ? 'Edit' : 'Add';
+
+my %email;
+
+#starting with those currently attached
+foreach my $method (qw( srcsvc_acct dstsvc_acct )) {
+  my $svc_acct = $svc_forward->$method();
+  $email{$svc_acct->svcnum} = $svc_acct->email if $svc_acct;
+}
+
+if ($pkgnum) {
+
+  #find all possible user svcnums (and emails)
+
+  #and including the rest for this customer
+  my($u_part_svc,@u_acct_svcparts);
+  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
+    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
+  }
+
+  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+  my($custnum)=$cust_pkg->getfield('custnum');
+  my($i_cust_pkg);
+  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
+    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
+    my($acct_svcpart);
+    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
+                                              #record(s) in cust_svc ( for this
+                                              #pkgnum ! )
+      foreach my $i_cust_svc (
+        qsearch( 'cust_svc', { 'pkgnum'  => $cust_pkgnum,
+                               'svcpart' => $acct_svcpart } )
+      ) {
+        my $svc_acct =
+          qsearchs( 'svc_acct', { 'svcnum' => $i_cust_svc->svcnum } );
+        $email{$svc_acct->svcnum} = $svc_acct->email;
+      }  
+    }
+  }
+
+} elsif ( $action eq 'Add' ) {
+  die "\$action eq Add, but \$pkgnum is null!\n";
+}
+
+my($srcsvc,$dstsvc,$dst)=(
+  $svc_forward->srcsvc,
+  $svc_forward->dstsvc,
+  $svc_forward->dst,
+);
+my $src = $svc_forward->dbdef_table->column('src') ? $svc_forward->src : '';
+
+</%init>
diff --git a/httemplate/edit/svc_phone.cgi b/httemplate/edit/svc_phone.cgi
index ca62b6416..78b849c8d 100644
--- a/httemplate/edit/svc_phone.cgi
+++ b/httemplate/edit/svc_phone.cgi
@@ -9,3 +9,9 @@
                              },
            )
 %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+</%init>
diff --git a/httemplate/edit/svc_www.cgi b/httemplate/edit/svc_www.cgi
index e19a4fa08..e64928694 100644
--- a/httemplate/edit/svc_www.cgi
+++ b/httemplate/edit/svc_www.cgi
@@ -1,227 +1,240 @@
-%my $conf = new FS::Conf;
-%
-%my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_www, $config );
-%
-%if ( $cgi->param('error') ) {
-%
-%  $svc_www = new FS::svc_www ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_www')
-%  } );
-%  $svcnum = $svc_www->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $config = $cgi->param('config');
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
-%
-%  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%  $pkgnum = $1;
-%  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%  $svcpart = $1;
-%
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%  $svc_www = new FS::svc_www { svcpart => $svcpart };
-%
-%  $svcnum='';
-%
-%  $svc_www->set_default_and_fixed;
-%
-%} else { #editing
-%
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "unparsable svcnum";
-%  $svcnum=$1;
-%  $svc_www=qsearchs('svc_www',{'svcnum'=>$svcnum})
-%    or die "Unknown (svc_www) svcnum!";
-%
-%  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%    or die "Unknown (cust_svc) svcnum!";
-%
-%  $pkgnum=$cust_svc->pkgnum;
-%  $svcpart=$cust_svc->svcpart;
-%  $config=$cgi->escapeHTML($svc_www->config);
-%  
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%
-%}
-%my $action = $svc_www->svcnum ? 'Edit' : 'Add';
-%
-%my( %svc_acct, %arec );
-%if ($pkgnum) {
-%
-%  my @u_acct_svcparts;
-%  foreach my $svcpart (
-%    map { $_->svcpart } qsearch( 'part_svc', { 'svcdb' => 'svc_acct' } )
-%  ) {
-%    next if $conf->exists('svc_www-usersvc_svcpart')
-%            && ! grep { $svcpart == $_ }
-%                      $conf->config('svc_www-usersvc_svcpart');
-%    push @u_acct_svcparts, $svcpart;
-%  }
-%
-%  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%  my($custnum)=$cust_pkg->getfield('custnum');
-%  my($i_cust_pkg);
-%  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
-%    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
-%    my($acct_svcpart);
-%    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
-%                                              #record(s) in cust_svc ( for this
-%                                              #pkgnum ! )
-%      my($i_cust_svc);
-%      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
-%        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
-%        $svc_acct{$svc_acct->getfield('svcnum')}=
-%          $svc_acct->cust_svc->part_svc->svc. ': '. $svc_acct->email;
-%      }  
-%    }
-%  }
-%
-%
-%  my($d_part_svc,@d_acct_svcparts);
-%  foreach $d_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_domain'}) ) {
-%    push @d_acct_svcparts,$d_part_svc->getfield('svcpart');
-%  }
-%
-%  foreach $i_cust_pkg ( qsearch( 'cust_pkg', { 'custnum' => $custnum } ) ) {
-%    my $cust_pkgnum = $i_cust_pkg->pkgnum;
-%
-%    foreach my $acct_svcpart (@d_acct_svcparts) {
-%
-%      foreach my $i_cust_svc (
-%        qsearch( 'cust_svc', { 'pkgnum'  => $cust_pkgnum,
-%                               'svcpart' => $acct_svcpart } )
-%      ) {
-%        my $svc_domain =
-%          qsearchs( 'svc_domain', { 'svcnum' => $i_cust_svc->svcnum } );
-%
-%        my $extra_sql = "AND ( rectype = 'A' OR rectype = 'CNAME' )";
-%        unless ( $conf->exists('svc_www-enable_subdomains') ) {
-%          $extra_sql .= " AND ( reczone = '\@' OR reczone = '".
-%                        $svc_domain->domain. ".' )";
-%        }
-%
-%        foreach my $domain_rec (
-%          qsearch( 'domain_record',
-%                   {
-%                     'svcnum' => $svc_domain->svcnum,
-%                   },
-%                   '',
-%                   $extra_sql,
-%          )
-%        ) {
-%          $arec{$domain_rec->recnum} = $domain_rec->zone;
-%        }
-%
-%        if ( $conf->exists('svc_www-enable_subdomains') ) {
-%          $arec{'www.'. $svc_domain->domain} = 'www.'. $svc_domain->domain
-%            unless    qsearchs( 'domain_record', {
-%                                  svcnum  => $svc_domain->svcnum,
-%                                  reczone => 'www',
-%                      } )
-%                   || qsearchs( 'domain_record', {
-%                                  svcnum  => $svc_domain->svcnum,
-%                                  reczone => 'www.'.$svc_domain->domain.'.',
-%                    } );
-%        }
-%
-%        $arec{'@.'. $svc_domain->domain} = $svc_domain->domain
-%          unless   qsearchs('domain_record', {
-%                              svcnum  => $svc_domain->svcnum,
-%                              reczone => '@',
-%                   } )
-%                || qsearchs('domain_record', {
-%                              svcnum  => $svc_domain->svcnum,
-%                              reczone => $svc_domain->domain.'.',
-%                   } );
-%
-%      }
-%
-%    }
-%  }
-%
-%} elsif ( $action eq 'Edit' ) {
-%
-%  my($domain_rec) = qsearchs('domain_record', { 'recnum'=>$svc_www->recnum });
-%  $arec{$svc_www->recnum} = join '.', $domain_rec->recdata, $domain_rec->reczone;
-%
-%} else {
-%  die "\$action eq Add, but \$pkgnum is null!\n";
-%}
-%
-%
-%my $p1 = popurl(1);
-
-<% include("/elements/header.html", "Web Hosting $action", '') %>
-
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print qq!<FORM ACTION="${p1}process/svc_www.cgi" METHOD=POST>!;
-%
-%#display
-%
-% 
-%
-%#svcnum
-%print qq!<INPUT TYPE="hidden" NAME="svcnum" VALUE="$svcnum">!;
-%print qq!Service #<B>!, $svcnum ? $svcnum : "(NEW)", "</B><BR><BR>";
-%
-%#pkgnum
-%print qq!<INPUT TYPE="hidden" NAME="pkgnum" VALUE="$pkgnum">!;
-% 
-%#svcpart
-%print qq!<INPUT TYPE="hidden" NAME="svcpart" VALUE="$svcpart">!;
-%
-%my($recnum,$usersvc)=(
-%  $svc_www->recnum,
-%  $svc_www->usersvc,
-%);
-%
-%print &ntable("#cccccc",2),
-%      '<TR><TD ALIGN="right">Zone</TD><TD><SELECT NAME="recnum" SIZE=1>';
-%foreach $_ (keys %arec) {
-%  print "<OPTION", $_ eq $recnum ? " SELECTED" : "",
-%        qq! VALUE="$_">$arec{$_}!;
-%}
-%print "</SELECT></TD></TR>";
-%
-%if ( $part_svc->part_svc_column('usersvc')->columnflag ne 'F'
+<% include('/elements/header.html', "Web Hosting $action") %>
+
+<% include('/elements.error.html') %>
+
+<FORM ACTION="<%$p1%>process/svc_www.cgi" METHOD=POST>
+
+<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum %>">
+Service #<B><% $svcnum ? $svcnum : "(NEW)" %></B>
+<BR><BR>
+
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
+
+<INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
+
+% my $recnum  = $svc_www->recnum;
+% my $usersvc = $svc_www->usersvc;
+
+<% &ntable("#cccccc",2) %>
+
+  <TR>
+    <TD ALIGN="right">Zone</TD>
+    <TD>
+      <SELECT NAME="recnum" SIZE=1>
+%       foreach $_ (keys %arec) {
+          <OPTION<% $_ eq $recnum ? " SELECTED" : "" %> VALUE="<%$_%>"><%$arec{$_}%>
+%       }
+      </SELECT>
+    </TD>
+  </TR>
+
+% if ( $part_svc->part_svc_column('usersvc')->columnflag ne 'F'
 %     || $part_svc->part_svc_column('usersvc')->columnvalue !~ /^\s*$/) {
-%  print '<TR><TD ALIGN="right">Username</TD><TD><SELECT NAME="usersvc" SIZE=1>';
-%  print '<OPTION VALUE="">(none)';
-%  foreach $_ (keys %svc_acct) {
-%    print "<OPTION", ($_ eq $usersvc) ? " SELECTED" : "",
-%          qq! VALUE="$_">$svc_acct{$_}!;
-%  }
-%  print "</SELECT></TD></TR>";
-%}
-%
-%if ( $part_svc->part_svc_column('config')->columnflag ne 'F' &&
-%     $FS::CurrentUser::CurrentUser->access_right('Edit www config') ) {
-%  print '<TR><TD ALIGN="right">Config lines</TD><TD>';
-%  print qq!<TEXTAREA NAME="config" rows="15" cols="80">$config</TEXTAREA></TD></TR>!
-%}else{
-%  print qq!<INPUT TYPE="hidden" NAME="config" VALUE="$config">!;
-%}
-%
-%foreach my $field ($svc_www->virtual_fields) {
-%  if ( $part_svc->part_svc_column($field)->columnflag ne 'F' ) {
-%    # If the flag is X, it won't even show up in $svc_acct->virtual_fields.
-%    print $svc_www->pvf($field)->widget('HTML', 'edit', 
-%        $svc_www->getfield($field));
-%  }
+    <TR>
+      <TD ALIGN="right">Username</TD>
+      <TD>
+        <SELECT NAME="usersvc" SIZE=1>
+          <OPTION VALUE="">(none)
+%         foreach $_ (keys %svc_acct) {
+            <OPTION<% ($_ eq $usersvc) ? " SELECTED" : "" %> VALUE="<%$_%>"><% $svc_acct{$_} %>
+%         }
+        <SELECT>
+      </TD>
+    </TR>
+% }
+
+% if ( $part_svc->part_svc_column('config')->columnflag ne 'F' &&
+%      $FS::CurrentUser::CurrentUser->access_right('Edit www config') ) {
+    <TR>
+      <TD ALIGN="right">Config lines</TD>
+      <TD>
+        <TEXTAREA NAME="config" rows="15" cols="80"><% $config |h %></TEXTAREA>
+      </TD>
+    </TR>
+% } else {
+    <INPUT TYPE="hidden" NAME="config" VALUE="<% $config |h %>">
 %}
-%
-%print '</TABLE><BR><INPUT TYPE="submit" VALUE="Submit">';
-%
+
+% foreach my $field ($svc_www->virtual_fields) {
+%   if ( $part_svc->part_svc_column($field)->columnflag ne 'F' ) {
+%     # If the flag is X, it won't even show up in $svc_acct->virtual_fields.
+      <% $svc_www->pvf($field)->widget( 'HTML', 'edit',
+                                        $svc_www->getfield($field)
+                                      )
+      %>
+%   }
+% }
+
+</TABLE>
+<BR>
+
+<INPUT TYPE="submit" VALUE="Submit">
 
 </FORM>
 
 <% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Provision customer service'); #something else more specific?
+
+my $conf = new FS::Conf;
+
+my( $svcnum,  $pkgnum, $svcpart, $part_svc, $svc_www, $config );
+
+if ( $cgi->param('error') ) {
+
+  $svc_www = new FS::svc_www ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_www')
+  } );
+  $svcnum = $svc_www->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $config = $cgi->param('config');
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+} elsif ( $cgi->param('pkgnum') && $cgi->param('svcpart') ) { #adding
+
+  $cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+  $pkgnum = $1;
+  $cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+  $svcpart = $1;
+
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+  $svc_www = new FS::svc_www { svcpart => $svcpart };
+
+  $svcnum='';
+
+  $svc_www->set_default_and_fixed;
+
+} else { #editing
+
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "unparsable svcnum";
+  $svcnum=$1;
+  $svc_www=qsearchs('svc_www',{'svcnum'=>$svcnum})
+    or die "Unknown (svc_www) svcnum!";
+
+  my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+    or die "Unknown (cust_svc) svcnum!";
+
+  $pkgnum=$cust_svc->pkgnum;
+  $svcpart=$cust_svc->svcpart;
+  #$config=$cgi->escapeHTML($svc_www->config);
+  
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+
+}
+my $action = $svc_www->svcnum ? 'Edit' : 'Add';
+
+my( %svc_acct, %arec );
+if ($pkgnum) {
+
+  my @u_acct_svcparts;
+  foreach my $svcpart (
+    map { $_->svcpart } qsearch( 'part_svc', { 'svcdb' => 'svc_acct' } )
+  ) {
+    next if $conf->exists('svc_www-usersvc_svcpart')
+            && ! grep { $svcpart == $_ }
+                      $conf->config('svc_www-usersvc_svcpart');
+    push @u_acct_svcparts, $svcpart;
+  }
+
+  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+  my($custnum)=$cust_pkg->getfield('custnum');
+  my($i_cust_pkg);
+  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
+    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
+    my($acct_svcpart);
+    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
+                                              #record(s) in cust_svc ( for this
+                                              #pkgnum ! )
+      my($i_cust_svc);
+      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
+        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
+        $svc_acct{$svc_acct->getfield('svcnum')}=
+          $svc_acct->cust_svc->part_svc->svc. ': '. $svc_acct->email;
+      }  
+    }
+  }
+
+
+  my($d_part_svc,@d_acct_svcparts);
+  foreach $d_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_domain'}) ) {
+    push @d_acct_svcparts,$d_part_svc->getfield('svcpart');
+  }
+
+  foreach $i_cust_pkg ( qsearch( 'cust_pkg', { 'custnum' => $custnum } ) ) {
+    my $cust_pkgnum = $i_cust_pkg->pkgnum;
+
+    foreach my $acct_svcpart (@d_acct_svcparts) {
+
+      foreach my $i_cust_svc (
+        qsearch( 'cust_svc', { 'pkgnum'  => $cust_pkgnum,
+                               'svcpart' => $acct_svcpart } )
+      ) {
+        my $svc_domain =
+          qsearchs( 'svc_domain', { 'svcnum' => $i_cust_svc->svcnum } );
+
+        my $extra_sql = "AND ( rectype = 'A' OR rectype = 'CNAME' )";
+        unless ( $conf->exists('svc_www-enable_subdomains') ) {
+          $extra_sql .= " AND ( reczone = '\@' OR reczone = '".
+                        $svc_domain->domain. ".' )";
+        }
+
+        foreach my $domain_rec (
+          qsearch( 'domain_record',
+                   {
+                     'svcnum' => $svc_domain->svcnum,
+                   },
+                   '',
+                   $extra_sql,
+          )
+        ) {
+          $arec{$domain_rec->recnum} = $domain_rec->zone;
+        }
+
+        if ( $conf->exists('svc_www-enable_subdomains') ) {
+          $arec{'www.'. $svc_domain->domain} = 'www.'. $svc_domain->domain
+            unless    qsearchs( 'domain_record', {
+                                  svcnum  => $svc_domain->svcnum,
+                                  reczone => 'www',
+                      } )
+                   || qsearchs( 'domain_record', {
+                                  svcnum  => $svc_domain->svcnum,
+                                  reczone => 'www.'.$svc_domain->domain.'.',
+                    } );
+        }
+
+        $arec{'@.'. $svc_domain->domain} = $svc_domain->domain
+          unless   qsearchs('domain_record', {
+                              svcnum  => $svc_domain->svcnum,
+                              reczone => '@',
+                   } )
+                || qsearchs('domain_record', {
+                              svcnum  => $svc_domain->svcnum,
+                              reczone => $svc_domain->domain.'.',
+                   } );
+
+      }
+
+    }
+  }
+
+} elsif ( $action eq 'Edit' ) {
+
+  my($domain_rec) = qsearchs('domain_record', { 'recnum'=>$svc_www->recnum });
+  $arec{$svc_www->recnum} = join '.', $domain_rec->recdata, $domain_rec->reczone;
+
+} else {
+  die "\$action eq Add, but \$pkgnum is null!\n";
+}
+
+my $p1 = popurl(1);
+
+</%init>
-- 
2.11.0