-<%
-
-my $classnum = $cgi->param('classnum');
-$classnum =~ /^(\d+)$/ or eidiot "illegal classnum $classnum";
-$classnum = $1;
-my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
-
-%><%= include("/elements/header.html", $inventory_class->classname. 's') %>
+<% include("/elements/header.html", $inventory_class->classname. 's') %>
<FORM ACTION="process/inventory_item-import.html" METHOD="POST" ENCTYPE="multipart/form-data">
-<INPUT TYPE="hidden" NAME="classnum" VALUE="<%= $classnum %>">
-Import a file containing <%= $inventory_class->classname %>s, one per line.<BR><BR>
+<INPUT TYPE="hidden" NAME="classnum" VALUE="<% $classnum %>">
+Import a file containing <% $inventory_class->classname %>s, one per line.<BR><BR>
Filename: <INPUT TYPE="file" NAME="filename"><BR><BR>
<INPUT TYPE="submit" VALUE="Upload">
</FORM>
-<%= include('/elements/footer.html') %>
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+ unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+$cgi->param =~ /^(\d+)$/ or errorpage("illegal classnum");
+my $classnum = $1;
+my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
+</%init>
projects / freeside.git / blobdiff