projects
/
freeside.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
a404926
)
ACL on customer edit
author
ivan
<ivan>
Sun, 12 Jul 2009 23:25:13 +0000
(23:25 +0000)
committer
ivan
<ivan>
Sun, 12 Jul 2009 23:25:13 +0000
(23:25 +0000)
httemplate/edit/cust_main.cgi
patch
|
blob
|
history
diff --git
a/httemplate/edit/cust_main.cgi
b/httemplate/edit/cust_main.cgi
index
7308c72
..
5751314
100755
(executable)
--- a/
httemplate/edit/cust_main.cgi
+++ b/
httemplate/edit/cust_main.cgi
@@
-199,8
+199,12
@@
function samechanged(what) {
<%init>
<%init>
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+#probably redundant given the checks below...
die "access denied"
die "access denied"
- unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+ unless $curuser->access_right('New customer')
+ || $curuser->access_right('Edit customer');
my $conf = new FS::Conf;
my $conf = new FS::Conf;
@@
-219,6
+223,10
@@
if ( $cgi->param('error') ) {
} );
$custnum = $cust_main->custnum;
} );
$custnum = $cust_main->custnum;
+
+ die "access denied"
+ unless $curuser->access_right($custnum ? 'Edit customer' : 'New customer');
+
@invoicing_list = split( /\s*,\s*/, $cgi->param('invoicing_list') );
$same = $cgi->param('same');
$cust_main->setfield('paid' => $cgi->param('paid')) if $cgi->param('paid');
@invoicing_list = split( /\s*,\s*/, $cgi->param('invoicing_list') );
$same = $cgi->param('same');
$cust_main->setfield('paid' => $cgi->param('paid')) if $cgi->param('paid');
@@
-245,6
+253,9
@@
if ( $cgi->param('error') ) {
} elsif ( $cgi->keywords ) { #editing
} elsif ( $cgi->keywords ) { #editing
+ die "access denied"
+ unless $curuser->access_right('Edit customer');
+
my( $query ) = $cgi->keywords;
$query =~ /^(\d+)$/;
$custnum=$1;
my( $query ) = $cgi->keywords;
$query =~ /^(\d+)$/;
$custnum=$1;
@@
-262,6
+273,9
@@
if ( $cgi->param('error') ) {
} else { #new customer
} else { #new customer
+ die "access denied"
+ unless $curuser->access_right('New customer');
+
$custnum='';
$cust_main = new FS::cust_main ( {} );
$cust_main->otaker( &getotaker );
$custnum='';
$cust_main = new FS::cust_main ( {} );
$cust_main->otaker( &getotaker );