ACLs

[freeside.git] / httemplate / edit / process / cust_pkg.cgi

diff --git a/httemplate/edit/process/cust_pkg.cgi b/httemplate/edit/process/cust_pkg.cgi
index 25b8267..bdade32 100755 (executable)
--- a/httemplate/edit/process/cust_pkg.cgi
+++ b/httemplate/edit/process/cust_pkg.cgi
@@ -11,7 +11,7 @@
     </HTML>
 
 % } elsif ( $action eq 'bulk' ) {
-%   $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum") %>
 % } else {
 %   die "guru exception #5: action is neither change nor bulk!";
 % }
@@ -28,15 +28,27 @@ my @remove_pkgnums = map {
   $1;
 } $cgi->param('remove_pkg');
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
 my( $action, $error_redirect );
 my @pkgparts = ();
 if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
+
   $action = 'change';
   $error_redirect = "misc/change_pkg.cgi";
   @pkgparts = ($1);
+
+  die "access denied"
+    unless $curuser->access_right('Change customer package');
+
 } else { #came from edit/cust_pkg.cgi
+
   $action = 'bulk';
   $error_redirect = "edit/cust_pkg.cgi";
+
+  die "access denied"
+    unless $curuser->access_right('Bulk change customer packages');
+
   foreach my $pkgpart ( map /^pkg(\d+)$/ ? $1 : (), $cgi->param ) {
     if ( $cgi->param("pkg$pkgpart") =~ /^(\d+)$/ ) {
       my $num_pkgs = $1;
@@ -48,6 +60,7 @@ if ( $cgi->param('new_pkgpart') =~ /^(\d+)$/ ) { #came from misc/change_pkg.cgi
       last;
     }
   }
+
 }
 
 $error ||= FS::cust_pkg::order($custnum,\@pkgparts,\@remove_pkgnums);