putting the C in ACL

[freeside.git] / httemplate / config / config-process.cgi

diff --git a/httemplate/config/config-process.cgi b/httemplate/config/config-process.cgi
index 50f0d34..d8f0d8e 100644 (file)
--- a/httemplate/config/config-process.cgi
+++ b/httemplate/config/config-process.cgi
@@ -1,45 +1,62 @@
-<%
-  my $conf = new FS::Conf;
-  $FS::Conf::DEBUG = 1;
-  my @config_items = $conf->config_items;
+<%init>
 
-  foreach my $i ( @config_items ) {
-    my @touch = ();
-    my @delete = ();
-    my $n = 0;
-    foreach my $type ( ref($i->type) ? @{$i->type} : $i->type ) {
-      if ( $type eq '' ) {
-      } elsif ( $type eq 'textarea' ) {
-        if ( $cgi->param($i->key. $n) ne '' ) {
-          my $value = $cgi->param($i->key. $n);
-          $value =~ s/\r\n/\n/g; #browsers?
-          $conf->set($i->key, $value);
-        } else {
-          $conf->delete($i->key);
-        }
-      } elsif ( $type eq 'checkbox' ) {
+die "access denied\n"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+# errant GET/POST protection
+my $Vars = scalar($cgi->Vars);
+my $num_Vars = scalar(keys %$Vars);
+die "only received $num_Vars params; errant or truncated GET/POST?".
+    "  aborting - not updating config\n"
+  unless $num_Vars > 100;
+
+my $conf = new FS::Conf;
+$FS::Conf::DEBUG = 1;
+my @config_items = $conf->config_items;
+
+foreach my $i ( @config_items ) {
+  my @touch = ();
+  my @delete = ();
+  my $n = 0;
+  foreach my $type ( ref($i->type) ? @{$i->type} : $i->type ) {
+    if ( $type eq '' ) {
+    } elsif ( $type eq 'textarea' ) {
+      if ( $cgi->param($i->key. $n) ne '' ) {
+        my $value = $cgi->param($i->key. $n);
+        $value =~ s/\r\n/\n/g; #browsers?
+        $conf->set($i->key, $value);
+      } else {
+        $conf->delete($i->key);
+      }
+    } elsif ( $type eq 'checkbox' ) {
 #        if ( defined($cgi->param($i->key. $n)) && $cgi->param($i->key. $n) ) {
-        if ( defined $cgi->param($i->key. $n) ) {
-          #$conf->touch($i->key);
-          push @touch, $i->key;
-        } else {
-          #$conf->delete($i->key);
-          push @delete, $i->key;
-        }
-      } elsif ( $type eq 'text' )  {
-        if ( $cgi->param($i->key. $n) ne '' ) {
-          $conf->set($i->key, $cgi->param($i->key. $n));
-        } else {
-          $conf->delete($i->key);
-        }
+      if ( defined $cgi->param($i->key. $n) ) {
+        #$conf->touch($i->key);
+        push @touch, $i->key;
+      } else {
+        #$conf->delete($i->key);
+        push @delete, $i->key;
+      }
+    } elsif ( $type eq 'text' || $type eq 'select' || $type eq 'select-sub' )  {
+      if ( $cgi->param($i->key. $n) ne '' ) {
+        $conf->set($i->key, $cgi->param($i->key. $n));
+      } else {
+        $conf->delete($i->key);
+      }
+    } elsif ( $type eq 'editlist' || $type eq 'selectmultiple' )  {
+      if ( scalar(@{[ $cgi->param($i->key. $n) ]}) ) {
+        $conf->set($i->key, join("\n", @{[ $cgi->param($i->key. $n) ]} ));
       } else {
+        $conf->delete($i->key);
       }
-      $n++;
+    } else {
     }
-   # warn @touch;
-    $conf->touch($_) foreach @touch;
-    $conf->delete($_) foreach @delete;
+    $n++;
   }
+ # warn @touch;
+  $conf->touch($_) foreach @touch;
+  $conf->delete($_) foreach @delete;
+}
 
-%>
-<%= $cgi->redirect("config-view.cgi") %>
+</%init>
+<% $cgi->redirect("config-view.cgi") %>