fix ACLs to allow the limited "package editing" of customizing customer packages

diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi
index 7e79448..ec001cb 100755 (executable)
--- a/httemplate/edit/part_pkg.cgi
+++ b/httemplate/edit/part_pkg.cgi
@@ -243,6 +243,7 @@ Line-item revenue recognition
 %  delete $freq{$_} foreach grep { ! /^\d+$/ } keys %freq;
 %}
 %
+%#this should be replaced by /elements/selectlayers.html
 %my $widget = new HTML::Widgets::SelectLayers(
 %  'selected_layer' => $part_pkg->plan,
 %  'options'        => \%options,
@@ -363,10 +364,6 @@ Line-item revenue recognition
 <% include('/elements/footer.html') %>
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions')
-      || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions');
-
 if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) {
   $cgi->param('clone', $1);
 } else {
@@ -378,6 +375,13 @@ if ( $cgi->param('pkgnum') && $cgi->param('pkgnum') =~ /^(\d+)$/ ) {
   $cgi->param('pkgnum', '');
 }
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+die "access denied"
+  unless $curuser->access_right('Edit package definitions')
+      || $curuser->access_right('Edit global package definitions')
+      || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
 my ($query) = $cgi->keywords;
 
 my $conf = new FS::Conf; 

diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi
index d3d4f85..2381e7f 100755 (executable)
--- a/httemplate/edit/process/part_pkg.cgi
+++ b/httemplate/edit/process/part_pkg.cgi
@@ -11,10 +11,6 @@
 %}
 <%init>
 
-die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions')
-      || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions');
-
 my $dbh = dbh;
 my $conf = new FS::Conf;
 
@@ -70,6 +66,8 @@ my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) }
               map { $_->svcpart }
               qsearch('part_svc', {} );
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
 my $custnum = '';
 if ( $error ) {
 
@@ -81,12 +79,21 @@ if ( $error ) {
 
 } elsif ( $pkgpart ) {
 
+  die "access denied"
+    unless $curuser->access_right('Edit package definitions')
+        || $curuser->access_right('Edit global package definitions');
+
   $error = $new->replace( $old,
                           pkg_svc     => \%pkg_svc,
                           primary_svc => scalar($cgi->param('pkg_svc_primary')),
                         );
 } else {
 
+  die "access denied"
+    unless $curuser->access_right('Edit package definitions')
+        || $curuser->access_right('Edit global package definitions');
+        || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') );
+
   $error = $new->insert(  pkg_svc     => \%pkg_svc,
                           primary_svc => scalar($cgi->param('pkg_svc_primary')),
                           cust_pkg    => $cgi->param('pkgnum'),