don't redirect to a GET with sensitive data, RT#26099

[freeside.git] / httemplate / edit / process / cust_main.cgi

diff --git a/httemplate/edit/process/cust_main.cgi b/httemplate/edit/process/cust_main.cgi
index 1ac78fe..7241b0a 100755 (executable)
--- a/httemplate/edit/process/cust_main.cgi
+++ b/httemplate/edit/process/cust_main.cgi
@@ -1,7 +1,7 @@
 % if ( $error ) {
 %   $cgi->param('error', $error);
-%
-<% $cgi->redirect(popurl(2). "cust_main.cgi?". $cgi->query_string ) %>
+%   my $query = $m->scomp('/elements/create_uri_query', 'secure'=>1);
+<% $cgi->redirect(popurl(2). "cust_main.cgi?$query" ) %>
 %
 % } else { 
 %
@@ -16,8 +16,8 @@ my $DEBUG = 0;
 </%once>
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" unless $curuser->access_right('Edit customer');
 
 my $conf = new FS::Conf;
 
@@ -78,6 +78,23 @@ if ( $duplicate_of ) {
     or die "nonexistent existing customer (custnum $duplicate_of)";
 }
 
+# if this is enabled, enforce it
+if ( $conf->exists('agent-ship_address', $cgi->param('agentnum')) ) {
+  my $agent = FS::agent->by_key($cgi->param('agentnum'));
+  my $agent_cust_main = $agent->agent_cust_main;
+  if ( $agent_cust_main ) {
+    my $pre = '';
+    $pre = 'ship_' if $agent_cust_main->has_ship_address;
+    foreach (qw(address1 city state zip country latitude longitude)) {
+      $new->set("ship_$_", $agent_cust_main->get($pre.$_));
+    }
+    foreach (qw(first last company)) {
+      $new->set("ship_$_", $cgi->param($_));
+    }
+    $cgi->param('same', '');
+  }
+}
+
 if ( defined($cgi->param('same')) && $cgi->param('same') eq "Y" ) {
   $new->setfield("ship_$_", '') foreach qw(
     last first company address1 address2 city county state zip
@@ -137,9 +154,14 @@ foreach my $dfield (qw(
 $new->setfield('paid', $cgi->param('paid') )
   if $cgi->param('paid');
 
-my @exempt_groups = grep /\S/, $conf->config('tax-cust_exempt-groups');
-my @tax_exempt = grep { $cgi->param("tax_$_") eq 'Y' } @exempt_groups;
-my %tax_exempt = map { $_ => scalar($cgi->param("tax_$_".'_num')) } @tax_exempt;
+my %options = ();
+if ( $curuser->access_right('Edit customer tax exemptions') ) { 
+  my @exempt_groups = grep /\S/, $conf->config('tax-cust_exempt-groups');
+  my @tax_exempt = grep { $cgi->param("tax_$_") eq 'Y' } @exempt_groups;
+  $options{'tax_exemption'} = {
+    map { $_ => scalar($cgi->param("tax_$_".'_num')) } @tax_exempt
+  };
+}
 
 #perhaps this stuff should go to cust_main.pm
 if ( $new->custnum eq '' or $duplicate_of ) {
@@ -247,8 +269,8 @@ if ( $new->custnum eq '' or $duplicate_of ) {
   else {
     # create the customer
     $error ||= $new->insert( \%hash, \@invoicing_list,
-                           'tax_exemption'=> \%tax_exempt,
-                           'prospectnum'  => scalar($cgi->param('prospectnum')),
+                             %options,
+                             prospectnum => scalar($cgi->param('prospectnum')),
                            );
 
     my $conf = new FS::Conf;
@@ -305,7 +327,7 @@ if ( $new->custnum eq '' or $duplicate_of ) {
   local($FS::Record::DEBUG)    = $DEBUG if $DEBUG;
 
   $error ||= $new->replace( $old, \@invoicing_list,
-                            'tax_exemption' => \%tax_exempt,
+                            %options,
                           );
 
   warn "$me returned from replace" if $DEBUG;