resolve inconsistency with posting payments then not having the ACL to view them...

diff --git a/FS/FS/AccessRight.pm b/FS/FS/AccessRight.pm
index 458f969..4514ccb 100644 (file)
--- a/FS/FS/AccessRight.pm
+++ b/FS/FS/AccessRight.pm
@@ -186,6 +186,7 @@ tie my %rights, 'Tie::IxHash',
   # customer payment rights
   ###
   'Customer payment rights' => [
+    'View payments',
     { rightname=>'Post payment', desc=>'Make check or cash payments.' },
     'Post check payment',
     'Post cash payment',
@@ -206,6 +207,7 @@ tie my %rights, 'Tie::IxHash',
     'Apply credit', #NEWNEW
     { rightname=>'Unapply credit', desc=>'Enable "unapplication" of unclosed credits.' }, #aka unapplycredits
     { rightname=>'Delete credit', desc=>'Enable deletion of unclosed credits. Be very careful!  Only delete credits that were data-entry errors, not adjustments.' }, #aka. deletecredits Optionally specify one or more comma-separated email addresses to be notified when a credit is deleted.
+    'View refunds',
     { rightname=>'Post refund', desc=>'Enable posting of check and cash refunds.' },
     'Post check refund',
     'Post cash refund',

diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi
index 9c85127..5fa57e4 100644 (file)
--- a/httemplate/misc/process/payment.cgi
+++ b/httemplate/misc/process/payment.cgi
@@ -10,13 +10,16 @@
 
   <% include('/elements/footer.html') %>
 
-% } else {
+% #2.5/2.7?# } elsif ( $curuser->access_right('View payments') ) {
+% } elsif ( $curuser->access_right(['View invoices', 'View payments']) ) {
 <% $cgi->redirect(popurl(3). "view/cust_pay.html?paynum=$paynum" ) %>
+% } else {
+<% $cgi->redirect(popurl(3). "view/cust_main.html?custnum=$custnum" ) %>
 % }
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Process payment');
+my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" unless $curuser->access_right('Process payment');
 
 #some false laziness w/MyAccount::process_payment
 

diff --git a/httemplate/search/elements/cust_pay_or_refund.html b/httemplate/search/elements/cust_pay_or_refund.html
index 8c32b79..002b1a4 100755 (executable)
--- a/httemplate/search/elements/cust_pay_or_refund.html
+++ b/httemplate/search/elements/cust_pay_or_refund.html
@@ -74,8 +74,9 @@ $title = 'Unapplied ' if $unapplied;
 $title .= "\u$name_singular Search Results";
 
 my $link = '';
-if (    ( $curuser->access_right('View invoices') #XXX for now
-          || $curuser->access_right('View customer payments')
+if (    ( $curuser->access_right('View invoices') #remove in 2.5 (2.7?)
+          || ($curuser->access_right('View payments') && $table =~ /^cust_pay/)
+          || ($curuser->access_right('View refunds') && $table eq 'cust_refund')
         )
      && ! $opt{'disable_link'}
    )

diff --git a/httemplate/view/cust_pay.html b/httemplate/view/cust_pay.html
index c9b2d51..d02f154 100644 (file)
--- a/httemplate/view/cust_pay.html
+++ b/httemplate/view/cust_pay.html
@@ -134,8 +134,8 @@
 my $curuser = $FS::CurrentUser::CurrentUser;
 
 die "access denied"
-  unless $curuser->access_right('View invoices') #remove this in 1.9 EVENTUALLY
-  || $curuser->access_right('View customer payments');
+  unless $curuser->access_right('View invoices') #remove this in 2.5 (2.7?)
+  || $curuser->access_right('View payments');
 
 $cgi->param('paynum') =~ /^(\d+)$/ or die "no paynum";
 my $paynum = $1;

diff --git a/httemplate/view/cust_refund.html b/httemplate/view/cust_refund.html
index f19c61b..996b4c0 100644 (file)
--- a/httemplate/view/cust_refund.html
+++ b/httemplate/view/cust_refund.html
@@ -105,10 +105,8 @@
 my $curuser = $FS::CurrentUser::CurrentUser;
 
 die "access denied"
-  unless $curuser->access_right('View invoices') #remove this in 1.9 EVENTUALLY
-      || $curuser->access_right('View customer payments');
-      #'View customer refunds' ???
-
+  unless $curuser->access_right('View invoices') #remove this in 2.5 (2.7?)
+      || $curuser->access_right('View refunds');
 
 $cgi->param('refundnum') =~ /^(\d+)$/ or die "no refundnum";
 my $refundnum = $1;