Add access right to view attachments

diff --git a/FS/FS/AccessRight.pm b/FS/FS/AccessRight.pm
index a54d270..44235b1 100644 (file)
--- a/FS/FS/AccessRight.pm
+++ b/FS/FS/AccessRight.pm
@@ -206,6 +206,7 @@ tie my %rights, 'Tie::IxHash',
   'Customer note and attachment rights' => [
     'Add customer note', #NEW
     'Edit customer note', #NEW
+    'View attachments',
     'Download attachment', #NEW
     'Add attachment', #NEW
     'Edit attachment', #NEW

diff --git a/httemplate/browse/cust_attachment.html b/httemplate/browse/cust_attachment.html
index 0fdc745..d95f2b1 100755 (executable)
--- a/httemplate/browse/cust_attachment.html
+++ b/httemplate/browse/cust_attachment.html
@@ -62,6 +62,7 @@
 <%init>
 
 my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" if !$curuser->access-right('View attachments');
 
 my $conf = new FS::Conf;
 

diff --git a/httemplate/edit/cust_main_attach.cgi b/httemplate/edit/cust_main_attach.cgi
index 5e9b16c..a007310 100755 (executable)
--- a/httemplate/edit/cust_main_attach.cgi
+++ b/httemplate/edit/cust_main_attach.cgi
@@ -44,6 +44,7 @@ onclick="return(confirm('Delete this file?'));">
 <%init>
 
 my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" if !$curuser->access_right('View attachments');
 my $attachnum = '';
 my $attach;
 if ( $cgi->param('error') ) {

diff --git a/httemplate/elements/menu.html b/httemplate/elements/menu.html
index b039e78..caf2274 100644 (file)
--- a/httemplate/elements/menu.html
+++ b/httemplate/elements/menu.html
@@ -323,7 +323,7 @@ $tools_menu{'Ticketing'} = [ \%tools_ticketing, 'Ticketing tools' ]
 $tools_menu{'Time Queue'} =  [ $fsurl.'search/report_timeworked.html', 'View pending support time' ]
   if $curuser->access_right('Time queue');
 $tools_menu{'Attachments'} = [ $fsurl.'browse/cust_attachment.html', 'View customer attachments' ]
-  if !$conf->config('disable_cust_attachment');
+  if !$conf->config('disable_cust_attachment') and $curuser->access_right('View attachments');
 $tools_menu{'Importing'} =  [ \%tools_importing, 'Import tools' ]
   if $curuser->access_right('Import');
 $tools_menu{'Exporting'} =  [ \%tools_exporting, 'Export tools' ]

diff --git a/httemplate/view/cust_main.cgi b/httemplate/view/cust_main.cgi
index 08d99d8..76f5a51 100755 (executable)
--- a/httemplate/view/cust_main.cgi
+++ b/httemplate/view/cust_main.cgi
@@ -153,16 +153,18 @@ Comments
           )
 %>
 % }
+% if( $curuser->access_right('View attachments') ) {
 <% include('cust_main/attachments.html', 'custnum' => $cust_main->custnum ) %>
-% if($cgi->param('show_deleted')) {
+%   if ($cgi->param('show_deleted')) {
 <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum .
            ($view ? ";show=$view" : '') . '#notes' 
            %>"><I>(Show active attachments)</I></A>
-% }
+%   }
 % elsif($curuser->access_right('View deleted attachments')) {
 <A HREF="<% $p.'view/cust_main.cgi?custnum=' . $cust_main->custnum .
            ($view ? ";show=$view" : '') . ';show_deleted=1#notes'
            %>"><I>(Show deleted attachments)</I></A>
+%   }
 % }
 <BR>
 

diff --git a/httemplate/view/cust_main/attachments.html b/httemplate/view/cust_main/attachments.html
index dbb29a7..b16a81e 100755 (executable)
--- a/httemplate/view/cust_main/attachments.html
+++ b/httemplate/view/cust_main/attachments.html
@@ -109,7 +109,7 @@
 
 my $conf = new FS::Conf;
 my $curuser = $FS::CurrentUser::CurrentUser;
-
+die "access denied" if !$curuser->access_right('View attachments');
 my(%opt) = @_;
 
 my $custnum = $opt{'custnum'};