don't redirect to a GET with sensitive data, RT#26099

[freeside.git] / httemplate / edit / process / cust_main.cgi

diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 584462c..4fb8f62 100755 (executable)
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -1,7 +1,7 @@
 % if ( $error ) {
 %   $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %>
+%   my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %>
 %
 % } else { 
 %
@@ -62,6 +62,18 @@ $cgi->param('invoicing_list', join(',', @invoicing_list) );
 $cgi->param('duplicate_of_custnum') =~ /^(\d+)$/;
 my $duplicate_of = $1;
 
+# if this is enabled, enforce it
+if ( $conf->exists('agent-ship_address', $cgi->param('agentnum')) ) {
+  my $agent = FS::agent->by_key($cgi->param('agentnum'));
+  my $agent_cust_main = $agent->agent_cust_main;
+  if ( $agent_cust_main ) {
+    my $agent_location = $agent_cust_main->ship_location;
+    foreach (qw(address1 city state zip country latitude longitude district)) {
+      $cgi->param("ship_$_", $agent_location->get($_));
+    }
+  }
+}
+
 my %locations;
 for my $pre (qw(bill ship)) {
 
@@ -71,10 +83,7 @@ for my $pre (qw(bill ship)) {
   }
   $hash{'custnum'} = $cgi->param('custnum');
   warn Dumper \%hash if $DEBUG;
-  # if we can qsearchs it, then it's unchanged, so use that
-  $locations{$pre} = qsearchs('cust_location', \%hash)
-                     || FS::cust_location->new( \%hash );
-
+  $locations{$pre} = FS::cust_location->new(\%hash);
 }
 
 if ( ($cgi->param('same') || '') eq 'Y' ) {
@@ -204,6 +213,7 @@ if ( $new->custnum eq '' or $duplicate_of ) {
       #later         'custnum' => $custnum,
       'pkgpart'     => $pkgpart,
       'locationnum' => scalar($cgi->param('locationnum')),
+      'salesnum'    => scalar($cgi->param('salesnum')),
     } );