ACLs

diff --git a/httemplate/misc/batch-cust_pay.html b/httemplate/misc/batch-cust_pay.html
index 89dd68a..8488939 100644 (file)
--- a/httemplate/misc/batch-cust_pay.html
+++ b/httemplate/misc/batch-cust_pay.html
@@ -1,7 +1,4 @@
-<% include("/elements/header.html", 'Quick payment entry',
-            menubar( 'Main Menu' => $p ),
-          )
-%>
+<% include('/elements/header.html', 'Quick payment entry') %>
 
 <% include('/elements/error.html') %>
 
@@ -24,5 +21,12 @@
 <INPUT TYPE="submit" NAME="submit" VALUE="Post payment batch">
 
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post payment batch');
+
+</%init>

diff --git a/httemplate/misc/bill.cgi b/httemplate/misc/bill.cgi
index 24dfd6b..3c3c48c 100755 (executable)
--- a/httemplate/misc/bill.cgi
+++ b/httemplate/misc/bill.cgi
@@ -1,45 +1,45 @@
-%
-%#untaint custnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d*)$/;
-%my $custnum = $1;
-%my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum});
-%die "Can't find customer!\n" unless $cust_main;
-%
-%my $conf = new FS::Conf;
-%
-%my $error = $cust_main->bill(
-%#                          'time'=>$time
-%                         );
-%
-%unless ( $error ) {
-%  $error = $cust_main->apply_payments_and_credits
-%           || $cust_main->collect(
-%                                  #'invoice-time'=>$time,
-%                                  #'batch_card'=> 'yes',
-%                                  #'batch_card'=> 'no',
-%                                  #'report_badcard'=> 'yes',
-%                                  #'retry_card' => 'yes',
-%
-%                                  'retry' => 'yes',
-%                                   
-%                                  #this is used only by cust_main::batch_card
-%                                  #need to pick & create an actual config
-%                                  #value if we're going to turn this on
-%                                  #("realtime-backend" doesn't exist,
-%                                  # "backend-realtime" is for something
-%                                  #  entirely different)
-%                                  #'realtime' => $conf->exists('realtime-backend'),
-%                                 );
-%}
-%
 %if ( $error ) {
-%
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum") %>
 %}
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Bill customer now');
+
+#untaint custnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d*)$/;
+my $custnum = $1;
+my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum});
+die "Can't find customer!\n" unless $cust_main;
+
+my $conf = new FS::Conf;
+
+my $error = $cust_main->bill(
+#                          'time'=>$time
+                         );
+
+unless ( $error ) {
+  $error = $cust_main->apply_payments_and_credits
+           || $cust_main->collect(
+                                  #'invoice-time'=>$time,
+                                  #'batch_card'=> 'yes',
+                                  #'batch_card'=> 'no',
+                                  #'report_badcard'=> 'yes',
+                                  #'retry_card' => 'yes',
+
+                                  'retry' => 'yes',
+                                   
+                                  #this is used only by cust_main::batch_card
+                                  #need to pick & create an actual config
+                                  #value if we're going to turn this on
+                                  #("realtime-backend" doesn't exist,
+                                  # "backend-realtime" is for something
+                                  #  entirely different)
+                                  #'realtime' => $conf->exists('realtime-backend'),
+                                 );
+}
+
+</%init>

diff --git a/httemplate/misc/cancel-unaudited.cgi b/httemplate/misc/cancel-unaudited.cgi
index da60dc4..4919c66 100755 (executable)
--- a/httemplate/misc/cancel-unaudited.cgi
+++ b/httemplate/misc/cancel-unaudited.cgi
@@ -1,36 +1,33 @@
-%
-%
-%my $dbh = dbh;
-% 
-%#untaint svcnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/;
-%my $svcnum = $1;
-%
-%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
-%#die "Unknown svcnum!" unless $svc_acct;
-%
-%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
-%die "Unknown svcnum!" unless $cust_svc;
-%my $cust_pkg = $cust_svc->cust_pkg;
-%if ( $cust_pkg ) {
-%  errorpage( 'This account has already been audited.  Cancel the '.
-%           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum.
-%           '#cust_pkg'. $cust_pkg->pkgnum. '">'.
-%           'package</A> instead.');
-%}
-%
-%my $error = $cust_svc->cancel;
-%
 %if ( $error ) {
-%  
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2));
+<% $cgi->redirect(popurl(2)) %>
 %}
-%
-%
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service')
+      && $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services');
+
+#untaint svcnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/;
+my $svcnum = $1;
+
+#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
+#die "Unknown svcnum!" unless $svc_acct;
+
+my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
+die "Unknown svcnum!" unless $cust_svc;
+my $cust_pkg = $cust_svc->cust_pkg;
+if ( $cust_pkg ) {
+  errorpage( 'This account has already been audited.  Cancel the '.
+           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum.
+           '#cust_pkg'. $cust_pkg->pkgnum. '">'.
+           'package</A> instead.');
+}
+
+my $error = $cust_svc->cancel;
+
+</%init>

diff --git a/httemplate/misc/cancel_cust.html b/httemplate/misc/cancel_cust.html
index 634000d..bb4e190 100644 (file)
--- a/httemplate/misc/cancel_cust.html
+++ b/httemplate/misc/cancel_cust.html
@@ -50,6 +50,8 @@ if ( $cgi->param('error') ) {
 
 $curuser = $FS::CurrentUser::CurrentUser;
 
+die "access denied" unless $curuser->access_right('Cancel customer');
+
 $cust_main = qsearchs( {
   'table'     => 'cust_main',
   'hashref'   => { 'custnum' => $custnum },

diff --git a/httemplate/misc/cancel_pkg.html b/httemplate/misc/cancel_pkg.html
index 7cbaf1d..8dffba7 100755 (executable)
--- a/httemplate/misc/cancel_pkg.html
+++ b/httemplate/misc/cancel_pkg.html
@@ -23,7 +23,7 @@
 % if ($method eq 'expire' || $method eq 'adjourn') {
 <TR>
   <TD><% $submit =~ /^(\w*)\s/ %> package on </TD>
-    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date %>">
+    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date |h %>">
         <IMG SRC="<% $p %>images/calendar.png" ID="expire_button" STYLE="cursor:pointer" TITLE="Select date">
         <BR><I>m/d/y</I>
     </TD>
@@ -42,8 +42,7 @@
 <% include('/elements/tr-select-reason.html',
              'field'          => 'reasonnum',
              'reason_class'   => $class,
-             #XXX these need to be sticky on errors too...
-             #'curr_value'     => '',
+             'curr_value'     => $reasonnum,
              'control_button' => 'document.sc_popup.submit',
           )
 %>
@@ -58,45 +57,53 @@
 </HTML>
 
 <%init>
-my($method, $pkgnum, $reasonnum, $submit, $cust_pkg, $part_pkg,
-   $date, $curuser, $class); 
-$date = time2str("%m/%d/%Y", time);
+
+my $date = time2str("%m/%d/%Y", time);
+
+my($pkgnum, $reasonnum);
 if ( $cgi->param('error') ) {
-  $method        = $cgi->param('method');
-  $pkgnum        = $cgi->param('pkgnum');
-  $reasonnum     = $cgi->param('reasonnum');
-  $date = $cgi->param('date');
+  $pkgnum    = $cgi->param('pkgnum');
+  $reasonnum = $cgi->param('reasonnum');
+  $date      = $cgi->param('date');
 } elsif ( $cgi->param('pkgnum') =~ /^(\d+)$/ ) {
-  $pkgnum  = $1;
+  $pkgnum    = $1;
+  $reasonnum = '';
 } else {
   die "illegal query ". $cgi->keywords;
 }
 
-$method = $cgi->param('method');
+$cgi->param('method') =~ /^(\w+)$/ or die 'illegal method';
+my $method = $1;
+
+my($class, $submit, $right);
 if ($method eq 'cancel') {
-  $class = 'C';
-  $submit    = "Cancel Now";
-}elsif ($method eq 'expire') {
-  $class = 'C';
-  $submit    = "Cancel Later";
-}elsif ($method eq 'suspend') {
-  $class = 'S';
-  $submit    = "Suspend Now";
-}elsif ($method eq 'adjourn') {
-  $class = 'S';
-  $submit    = "Suspend Later";
-}else{
-  die "illegal query ". $cgi->keywords;
+  $class  = 'C';
+  $submit = 'Cancel Now';
+  $right  = 'Cancel customer package immediately';
+} elsif ($method eq 'expire') {
+  $class  = 'C';
+  $submit = 'Cancel Later';
+  $right  = 'Cancel customer package later';
+} elsif ($method eq 'suspend') {
+  $class  = 'S';
+  $submit = 'Suspend Now';
+  $right  = 'Suspend customer package';
+} elsif ($method eq 'adjourn') {
+  $class  = 'S';
+  $submit = "Suspend Later";
+  $right  = 'Suspend customer package later';
+} else {
+  die 'illegal query (unknown method param)';
 }
 
-my $title = ucfirst($method) . ' Package';
+my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" unless $curuser->access_right($right);
 
-$cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum});
-die "No such package: $pkgnum" unless $cust_pkg;
+my $title = ucfirst($method) . ' Package';
 
-$part_pkg = $cust_pkg->part_pkg;
+my $cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum})
+  or die "Unknown pkgnum: $pkgnum";
 
-$curuser = $FS::CurrentUser::CurrentUser;
+my $part_pkg = $cust_pkg->part_pkg;
 
 </%init>
-

diff --git a/httemplate/misc/catchall.cgi b/httemplate/misc/catchall.cgi
index 8881746..2094494 100755 (executable)
--- a/httemplate/misc/catchall.cgi
+++ b/httemplate/misc/catchall.cgi
@@ -1,134 +1,120 @@
-<!-- mason kludge -->
-%
-%
-%my $conf = new FS::Conf;
-%
-%my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc);
-%if ( $cgi->param('error') ) {
-%  $svc_domain = new FS::svc_domain ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
-%  } );
-%  $svcnum = $svc_domain->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%} else {
-%  my($query) = $cgi->keywords;
-%  if ( $query =~ /^(\d+)$/ ) { #editing
-%    $svcnum=$1;
-%    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
-%      or die "Unknown (svc_domain) svcnum!";
-%
-%    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%      or die "Unknown (cust_svc) svcnum!";
-%
-%    $pkgnum=$cust_svc->pkgnum;
-%    $svcpart=$cust_svc->svcpart;
-%  
-%    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%    die "No part_svc entry!" unless $part_svc;
-%
-%  } else { 
-%
-%    die "Invalid (svc_domain) svcnum!";
-%
-%  }
-%}
-%
-%my %email;
-%if ($pkgnum) {
-%
-%  #find all possible user svcnums (and emails)
-%
-%  #starting with that currently attached
-%  if ($svc_domain->catchall) {
-%    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
-%    $email{$svc_domain->catchall} = $svc_acct->email;
-%  }
-%
-%  #and including the rest for this customer
-%  my($u_part_svc,@u_acct_svcparts);
-%  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
-%    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
-%  }
-%
-%  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%  my($custnum)=$cust_pkg->getfield('custnum');
-%  my($i_cust_pkg);
-%  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
-%    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
-%    my($acct_svcpart);
-%    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
-%                                              #record(s) in cust_svc ( for this
-%                                              #pkgnum ! )
-%      my($i_cust_svc);
-%      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
-%        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
-%        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email;
-%      }  
-%    }
-%  }
-%
-%} else {
-%
-%  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
-%  $email{$svc_domain->catchall} = $svc_acct->email;
-%}
-%
-%# add an absence of a catchall
-%$email{''} = "(none)";
-%
-%my $p1 = popurl(1);
-%print header("Domain Catchall Edit", '');
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print qq!<FORM ACTION="${p1}process/catchall.cgi" METHOD=POST>!;
-%
-%#display
-%
-%      #formatting
-%      print "<PRE>";
-%
-%#svcnum
-%print qq!<INPUT TYPE="hidden" NAME="svcnum" VALUE="$svcnum">!;
-%print qq!Service #<FONT SIZE=+1><B>!, $svcnum ? $svcnum : " (NEW)", "</B></FONT>";
-%
-%#pkgnum
-%print qq!<INPUT TYPE="hidden" NAME="pkgnum" VALUE="$pkgnum">!;
-% 
-%#svcpart
-%print qq!<INPUT TYPE="hidden" NAME="svcpart" VALUE="$svcpart">!;
-%
-%my($domain,$catchall)=(
-%  $svc_domain->domain,
-%  $svc_domain->catchall,
-%);
-%
-%print qq!<INPUT TYPE="hidden" NAME="domain" VALUE="$domain">!;
-%
-%#catchall
-%print qq!\n\nMail to <I>(anything)</I>@<B>$domain</B> forwards to <SELECT NAME="catchall" SIZE=1>!;
-%foreach $_ (keys %email) {
-%  print "<OPTION", $_ eq $catchall ? " SELECTED" : "",
-%        qq! VALUE="$_">$email{$_}!;
-%}
-%print "</SELECT>";
-%
-%      #formatting
-%      print "</PRE>\n";
-%
-%print qq!<CENTER><INPUT TYPE="submit" VALUE="Submit"></CENTER>!;
-%
-%print <<END;
-%
-%    </FORM>
-%  </BODY>
-%</HTML>
-%END
-%
-%
+<% include('/elements/header.html', 'Domain Catchall Edit') %>
 
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<%$p1%>process/catchall.cgi" METHOD=POST>
+
+<PRE>
+
+<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum |h %>">
+Service #<FONT SIZE=+1><B><% $svcnum ? $svcnum : ' (NEW)' |h %></B></FONT>
+
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum |h %>">
+
+<INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
+
+% my $domain   = $svc_domain->domain;
+% my $catchall = $svc_domain->catchall;
+
+<INPUT TYPE="hidden" NAME="domain" VALUE="<% $domain |h %>">
+
+Mail to <I>(anything)</I>@<B><% $domain |h %></B> forwards to <SELECT NAME="catchall" SIZE=1>
+% foreach $_ (keys %email) {
+    <OPTION<% $_ eq $catchall ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $email{$_} %>
+% }
+</SELECT>
+
+</PRE>
+
+<INPUT TYPE="submit" VALUE="Submit">
+
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain catchall');
+
+my $conf = new FS::Conf;
+
+my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc);
+if ( $cgi->param('error') ) {
+  $svc_domain = new FS::svc_domain ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
+  } );
+  $svcnum = $svc_domain->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+} else {
+  my($query) = $cgi->keywords;
+  if ( $query =~ /^(\d+)$/ ) { #editing
+    $svcnum=$1;
+    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
+      or die "Unknown (svc_domain) svcnum!";
+
+    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+      or die "Unknown (cust_svc) svcnum!";
+
+    $pkgnum=$cust_svc->pkgnum;
+    $svcpart=$cust_svc->svcpart;
+  
+    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+    die "No part_svc entry!" unless $part_svc;
+
+  } else { 
+
+    die "Invalid (svc_domain) svcnum!";
+
+  }
+}
+
+my %email;
+if ($pkgnum) {
+
+  #find all possible user svcnums (and emails)
+
+  #starting with that currently attached
+  if ($svc_domain->catchall) {
+    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
+    $email{$svc_domain->catchall} = $svc_acct->email;
+  }
+
+  #and including the rest for this customer
+  my($u_part_svc,@u_acct_svcparts);
+  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
+    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
+  }
+
+  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+  my($custnum)=$cust_pkg->getfield('custnum');
+  my($i_cust_pkg);
+  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
+    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
+    my($acct_svcpart);
+    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
+                                              #record(s) in cust_svc ( for this
+                                              #pkgnum ! )
+      my($i_cust_svc);
+      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
+        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
+        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email;
+      }  
+    }
+  }
+
+} else {
+
+  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
+  $email{$svc_domain->catchall} = $svc_acct->email;
+}
+
+# add an absence of a catchall
+$email{''} = "(none)";
+
+my $p1 = popurl(1);
+
+</%init>

diff --git a/httemplate/misc/cdr-import.html b/httemplate/misc/cdr-import.html
index 5e9e269..36b2e4c 100644 (file)
--- a/httemplate/misc/cdr-import.html
+++ b/httemplate/misc/cdr-import.html
@@ -14,3 +14,9 @@ Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+</%init>

diff --git a/httemplate/misc/cust_main-cancel.cgi b/httemplate/misc/cust_main-cancel.cgi
index 7f6f697..009a7d4 100755 (executable)
--- a/httemplate/misc/cust_main-cancel.cgi
+++ b/httemplate/misc/cust_main-cancel.cgi
@@ -6,6 +6,9 @@
 </HTML>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Cancel customer');
+
 my $custnum;
 my $ban = '';
 if ( $cgi->param('custnum') =~ /^(\d+)$/ ) {

diff --git a/httemplate/misc/cust_main-import.cgi b/httemplate/misc/cust_main-import.cgi
index b710ca8..84da386 100644 (file)
--- a/httemplate/misc/cust_main-import.cgi
+++ b/httemplate/misc/cust_main-import.cgi
@@ -97,5 +97,13 @@ advertising source table.
 <% include('/elements/footer.html') %>
 
 <%once>
+
 my $req = qq!<font color="#ff0000">*</font>!;
+
 </%once>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+</%init>

diff --git a/httemplate/misc/cust_main-import_charges.cgi b/httemplate/misc/cust_main-import_charges.cgi
index cd4441e..3801929 100644 (file)
--- a/httemplate/misc/cust_main-import_charges.cgi
+++ b/httemplate/misc/cust_main-import_charges.cgi
@@ -1,14 +1,22 @@
-<!-- mason kludge -->
-<% include("/elements/header.html",'Batch Customer Charge') %>
+<% include('/elements/header.html', 'Batch Customer Charge') %>
+
 <FORM ACTION="process/cust_main-import_charges.cgi" METHOD="post" ENCTYPE="multipart/form-data">
+
 Import a CSV file containing customer charges.<BR><BR>
 Default file format is CSV, with the following field order: <i>custnum, amount, description</i><BR><BR>
 If <i>amount</i> is negative, a credit will be applied instead.<BR><BR>
 <BR><BR>
 
-    CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>
-    <INPUT TYPE="submit" VALUE="Import">
-    </FORM>
-  </BODY>
-<HTML>
+CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>
+<INPUT TYPE="submit" VALUE="Import">
+
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
 
+</%init>

diff --git a/httemplate/misc/delete-cust_credit.cgi b/httemplate/misc/delete-cust_credit.cgi
index 78df249..03eb472 100755 (executable)
--- a/httemplate/misc/delete-cust_credit.cgi
+++ b/httemplate/misc/delete-cust_credit.cgi
@@ -1,17 +1,21 @@
-%
-%
-%#untaint crednum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal crednum";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum});
-%my $custnum = $cust_credit->custnum;
-%
-%my $error = $cust_credit->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete credit');
+
+#untaint crednum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal crednum";
+my $crednum = $1;
+
+my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum});
+my $custnum = $cust_credit->custnum;
+
+my $error = $cust_credit->delete;
+
+</%init>

diff --git a/httemplate/misc/delete-cust_pay.cgi b/httemplate/misc/delete-cust_pay.cgi
index a0fa414..38e7e4b 100755 (executable)
--- a/httemplate/misc/delete-cust_pay.cgi
+++ b/httemplate/misc/delete-cust_pay.cgi
@@ -1,17 +1,21 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
-%my $custnum = $cust_pay->custnum;
-%
-%my $error = $cust_pay->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete payment');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
+my $custnum = $cust_pay->custnum;
+
+my $error = $cust_pay->delete;
+
+</%init>

diff --git a/httemplate/misc/delete-cust_refund.cgi b/httemplate/misc/delete-cust_refund.cgi
index f3ac589..983a79d 100755 (executable)
--- a/httemplate/misc/delete-cust_refund.cgi
+++ b/httemplate/misc/delete-cust_refund.cgi
@@ -1,17 +1,21 @@
-%
-%
-%#untaint refundnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal refundnum";
-%my $refundnum = $1;
-%
-%my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum});
-%my $custnum = $cust_refund->custnum;
-%
-%my $error = $cust_refund->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete refund');
+
+#untaint refundnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal refundnum";
+my $refundnum = $1;
+
+my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum});
+my $custnum = $cust_refund->custnum;
+
+my $error = $cust_refund->delete;
+
+</%init>

diff --git a/httemplate/misc/delete-customer.cgi b/httemplate/misc/delete-customer.cgi
index 378f69e..17b7bda 100755 (executable)
--- a/httemplate/misc/delete-customer.cgi
+++ b/httemplate/misc/delete-customer.cgi
@@ -1,48 +1,26 @@
-<!-- mason kludge -->
-%
-%
-%my $conf = new FS::Conf;
-%die "Customer deletions not enabled" unless $conf->exists('deletecustomers');
-%
-%my($custnum, $new_custnum);
-%if ( $cgi->param('error') ) {
-%  $custnum = $cgi->param('custnum');
-%  $new_custnum = $cgi->param('new_custnum');
-%} else {
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "Illegal query: $query";
-%  $custnum = $1;
-%  $new_custnum = '';
-%}
-%my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } )
-%  or die "Customer not found: $custnum";
-%
-%print header('Delete customer');
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print 
-%  qq!<form action="!, popurl(1), qq!process/delete-customer.cgi" method=post>!,
-%  qq!<input type="hidden" name="custnum" value="$custnum">!;
-%
+<% include('/elements/header.html', 'Delete customer') %>
+
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<% popurl(1) %>process/delete-customer.cgi" METHOD=POST>
+<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum |h %>">
+
 %if ( qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } ) ) {
-%  print "Move uncancelled packages to customer number ",
-%        qq!<input type="text" name="new_custnum" value="$new_custnum"><br><br>!;
+  Move uncancelled packages to customer number 
+  <INPUT TYPE="text" NAME="new_custnum" VALUE="<% $new_custnum |h %>"><BR><BR>
 %}
-%
-%print <<END;
-%This will <b>completely remove</b> all traces of this customer record.  This
-%is <B>not</B> what you want if this is a real customer who has simply
-%canceled service with you.  For that, cancel all of the customer's packages.
-%(you can optionally hide cancelled customers with the <a href="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</a> configuration option)
-%<br>
-%<br>Are you <b>absolutely sure</b> you want to delete this customer?
-%<br><input type="submit" value="Yes">
-%</form></body></html>
-%END
-%
+
+This will <B>completely remove</B> all traces of this customer record.  This
+is <B>not</B> what you want if this is a real customer who has simply
+canceled service with you.  For that, cancel all of the customer's packages.
+(you can optionally hide cancelled customers with the <A HREF="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</A> configuration option)
+<BR>
+<BR>Are you <B>absolutely sure</B> you want to delete this customer?
+<BR><INPUT TYPE="submit" VALUE="Yes">
+</FORM>
+
+<% include('/elements/footer.html') %>
+
 %#Deleting a customer you have financial records on (i.e. credits) is
 %#typically considered fraudulant bookkeeping.  Remember, deleting   
 %#customers should ONLY be used for completely bogus records.  You should
@@ -56,6 +34,31 @@
 %#Also see the "hidecancelledcustomers" and "hidecancelledpackages"
 %#configuration options, which will allow you to surpress the display of
 %#cancelled customers and packages, respectively.
-%
-%
 
+<%init>
+
+my $conf = new FS::Conf;
+die "Customer deletions not enabled in configuration"
+  unless $conf->exists('deletecustomers');
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete customer');
+
+my($custnum, $new_custnum);
+if ( $cgi->param('error') ) {
+  $custnum = $cgi->param('custnum');
+  $new_custnum = $cgi->param('new_custnum');
+} else {
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "Illegal query: $query";
+  $custnum = $1;
+  $new_custnum = '';
+}
+my $cust_main = qsearchs( {
+  'table'     => 'cust_main',
+  'hashref'   => { 'custnum' => $custnum },
+  'extra_sql' => ' AND '. $FS::CurrentUser::CurrentUser->agentnums_sql,
+} )
+  or die 'Unknown custnum';
+
+<%/init>

diff --git a/httemplate/misc/delete-domain_record.cgi b/httemplate/misc/delete-domain_record.cgi
index 83e75ce..08eedde 100755 (executable)
--- a/httemplate/misc/delete-domain_record.cgi
+++ b/httemplate/misc/delete-domain_record.cgi
@@ -1,16 +1,20 @@
-%
-%
-%#untaint recnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal recnum";
-%my $recnum = $1;
-%
-%my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum});
-%
-%my $error = $domain_record->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum) %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain nameservice');
+
+#untaint recnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal recnum";
+my $recnum = $1;
+
+my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum});
+
+my $error = $domain_record->delete;
+
+</%init>

diff --git a/httemplate/misc/delete-part_export.cgi b/httemplate/misc/delete-part_export.cgi
index 5f2ebb9..52404e0 100755 (executable)
--- a/httemplate/misc/delete-part_export.cgi
+++ b/httemplate/misc/delete-part_export.cgi
@@ -1,16 +1,20 @@
-%
-%
-%#untaint exportnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal exportnum";
-%my $exportnum = $1;
-%
-%my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum});
-%
-%my $error = $part_export->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "browse/part_export.cgi");
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "browse/part_export.cgi") %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+#untaint exportnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal exportnum";
+my $exportnum = $1;
+
+my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum});
+
+my $error = $part_export->delete;
+
+</%init>

diff --git a/httemplate/misc/dump.cgi b/httemplate/misc/dump.cgi
index 486b665..3b60b20 100644 (file)
--- a/httemplate/misc/dump.cgi
+++ b/httemplate/misc/dump.cgi
@@ -1,3 +1,5 @@
+%  die "access denied"
+%    unless $FS::CurrentUser::CurrentUser->access_right('Export');
 %
 %  if ( driver_name =~ /^Pg$/ ) {
 %    my $dbname = (split(':', datasrc))[2];
@@ -16,5 +18,3 @@
 %    print $_;
 %  }
 %  close DUMP;
-%
-

diff --git a/httemplate/misc/email-invoice.cgi b/httemplate/misc/email-invoice.cgi
index 8a3dd90..269722f 100755 (executable)
--- a/httemplate/misc/email-invoice.cgi
+++ b/httemplate/misc/email-invoice.cgi
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->email($template); 
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->email($template); 
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

diff --git a/httemplate/misc/email_invoice_events.cgi b/httemplate/misc/email_invoice_events.cgi
index ba6e72c..d65fe17 100644 (file)
--- a/httemplate/misc/email_invoice_events.cgi
+++ b/httemplate/misc/email_invoice_events.cgi
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi;
+
+</%init>

diff --git a/httemplate/misc/email_invoices.cgi b/httemplate/misc/email_invoices.cgi
index 6c2103f..78ca0f6 100644 (file)
--- a/httemplate/misc/email_invoices.cgi
+++ b/httemplate/misc/email_invoices.cgi
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi;
+
+</%init>

diff --git a/httemplate/misc/fax-invoice.cgi b/httemplate/misc/fax-invoice.cgi
index 1ddc23e..e2e6db0 100755 (executable)
--- a/httemplate/misc/fax-invoice.cgi
+++ b/httemplate/misc/fax-invoice.cgi
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->fax($template);
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->fax($template);
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

diff --git a/httemplate/misc/fax_invoice_events.cgi b/httemplate/misc/fax_invoice_events.cgi
index deb78d4..05420ee 100644 (file)
--- a/httemplate/misc/fax_invoice_events.cgi
+++ b/httemplate/misc/fax_invoice_events.cgi
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi;
+
+</%init>

diff --git a/httemplate/misc/fax_invoices.cgi b/httemplate/misc/fax_invoices.cgi
index 4bdac97..a843523 100644 (file)
--- a/httemplate/misc/fax_invoices.cgi
+++ b/httemplate/misc/fax_invoices.cgi
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi;
+
+</%init>

diff --git a/httemplate/misc/inventory_item-import.html b/httemplate/misc/inventory_item-import.html
index 3636238..423d0d6 100644 (file)
--- a/httemplate/misc/inventory_item-import.html
+++ b/httemplate/misc/inventory_item-import.html
@@ -1,11 +1,3 @@
-%
-%
-%my $classnum = $cgi->param('classnum');
-%$classnum =~ /^(\d+)$/ or errorpage("illegal classnum $classnum");
-%$classnum = $1;
-%my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
-%
-%
 <% include("/elements/header.html", $inventory_class->classname. 's') %>
 
 <FORM ACTION="process/inventory_item-import.html" METHOD="POST" ENCTYPE="multipart/form-data">
@@ -19,3 +11,13 @@ Filename: <INPUT TYPE="file" NAME="filename"><BR><BR>
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+$cgi->param =~ /^(\d+)$/ or errorpage("illegal classnum $classnum");
+my $classnum = $1;
+my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
+
+</%init>

diff --git a/httemplate/misc/link.cgi b/httemplate/misc/link.cgi
index ef72b4a..748eaa1 100755 (executable)
--- a/httemplate/misc/link.cgi
+++ b/httemplate/misc/link.cgi
@@ -1,31 +1,5 @@
-%my %link_field = (
-%  'svc_acct'    => 'username',
-%  'svc_domain'  => 'domain',
-%);
-%
-%my %link_field2 = (
-%  'svc_acct'    => { label => 'Domain',
-%                     field => 'domsvc',
-%                     type  => 'select',
-%                     select_table => 'svc_domain',
-%                     select_key   => 'svcnum',
-%                     select_label => 'domain'
-%                   },
-%);
-%
-%$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%my $pkgnum = $1;
-%$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%my $svcpart = $1;
-%
-%my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
-%my $svc = $part_svc->getfield('svc');
-%my $svcdb = $part_svc->getfield('svcdb');
-%my $link_field = $link_field{$svcdb};
-%my $link_field2 = $link_field2{$svcdb};
-%
-
 <% include("/elements/header.html","Link to existing $svc") %>
+
 <FORM ACTION="<% popurl(1) %>process/link.cgi" METHOD=POST>
 % if ( $link_field ) { 
 
@@ -72,6 +46,39 @@
 <INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
 <INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
 <BR><INPUT TYPE="submit" VALUE="Link">
-    </FORM>
-  </BODY>
-</HTML>
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services');
+
+my %link_field = (
+  'svc_acct'    => 'username',
+  'svc_domain'  => 'domain',
+);
+
+my %link_field2 = (
+  'svc_acct'    => { label => 'Domain',
+                     field => 'domsvc',
+                     type  => 'select',
+                     select_table => 'svc_domain',
+                     select_key   => 'svcnum',
+                     select_label => 'domain'
+                   },
+);
+
+$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+my $pkgnum = $1;
+$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+my $svcpart = $1;
+
+my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
+my $svc = $part_svc->getfield('svc');
+my $svcdb = $part_svc->getfield('svcdb');
+my $link_field = $link_field{$svcdb};
+my $link_field2 = $link_field2{$svcdb};
+
+</%init>

diff --git a/httemplate/misc/meta-import.cgi b/httemplate/misc/meta-import.cgi
index fc249a2..5b3470c 100644 (file)
--- a/httemplate/misc/meta-import.cgi
+++ b/httemplate/misc/meta-import.cgi
@@ -1,5 +1,5 @@
-<!-- mason kludge -->
-<% include("/elements/header.html",'Import') %>
+<% include('/elements/header.html', 'Import') %>
+
 <FORM ACTION="process/meta-import.cgi" METHOD="post" ENCTYPE="multipart/form-data">
 Import data from a DBI data source<BR><BR>
 %
@@ -68,6 +68,12 @@ Import data from a DBI data source<BR><BR>
   <INPUT TYPE="submit" VALUE="Import">
 
   </FORM>
-  </BODY>
-<HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+#there's no ACL for this...  haven't used in ages
+die 'meta-import not enabled; remove this if you want to use it';
+
+</%init>

diff --git a/httemplate/misc/payment.cgi b/httemplate/misc/payment.cgi
index ce9a48b..f99f2f0 100644 (file)
--- a/httemplate/misc/payment.cgi
+++ b/httemplate/misc/payment.cgi
@@ -217,6 +217,9 @@ function OLiframeContent(src, width, height, name) {
 <% include('/elements/footer.html') %>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Process payment');
+
 my %type = ( 'CARD' => 'credit card',
              'CHEK' => 'electronic check (ACH)',
            );

diff --git a/httemplate/misc/print-invoice.cgi b/httemplate/misc/print-invoice.cgi
index 511bdce..aeef687 100755 (executable)
--- a/httemplate/misc/print-invoice.cgi
+++ b/httemplate/misc/print-invoice.cgi
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->print($template);
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->print($template);
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

diff --git a/httemplate/misc/print_invoice_events.cgi b/httemplate/misc/print_invoice_events.cgi
index 913e268..c974d5f 100644 (file)
--- a/httemplate/misc/print_invoice_events.cgi
+++ b/httemplate/misc/print_invoice_events.cgi
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi; 
-
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi; 
+
+</%init>

diff --git a/httemplate/misc/print_invoices.cgi b/httemplate/misc/print_invoices.cgi
index 826a081..f859f6d 100644 (file)
--- a/httemplate/misc/print_invoices.cgi
+++ b/httemplate/misc/print_invoices.cgi
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi;
+
+</%init>

diff --git a/httemplate/misc/process/batch-cust_pay.cgi b/httemplate/misc/process/batch-cust_pay.cgi
index e4d1bbf..058a225 100644 (file)
--- a/httemplate/misc/process/batch-cust_pay.cgi
+++ b/httemplate/misc/process/batch-cust_pay.cgi
@@ -1,3 +1,5 @@
+%  die "access denied"
+%    unless $FS::CurrentUser::CurrentUser->access_right('Post payment batch');
 %
 %  my $param = $cgi->Vars;
 %

diff --git a/httemplate/misc/process/cancel_pkg.html b/httemplate/misc/process/cancel_pkg.html
index 805d1a7..d265c18 100755 (executable)
--- a/httemplate/misc/process/cancel_pkg.html
+++ b/httemplate/misc/process/cancel_pkg.html
@@ -12,29 +12,39 @@ my %past = ( 'cancel'  => 'cancelled',
              'adjourn' => 'adjourned',
            );
 
+#i'm sure this is false laziness with somewhere, at least w/misc/cancel_pkg.html
+my %right = ( 'cancel'  => 'Cancel customer package immediately',
+              'expire'  => 'Cancel customer package later',
+              'suspend' => 'Suspend customer package',
+              'adjourn' => 'Suspend customer package later',
+            );
+
 </%once>
 <%init>
 
 #untaint method
 my $method = $cgi->param('method');
-$method =~ /^(cancel|expire|suspend|adjourn)$/ || die "Illegal method";
+$method =~ /^(cancel|expire|suspend|adjourn)$/ or die "Illegal method";
 $method = $1;
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right($right{$method});
+
 #untaint pkgnum
 my $pkgnum = $cgi->param('pkgnum');
-$pkgnum =~ /^(\d+)$/ || die "Illegal pkgnum";
+$pkgnum =~ /^(\d+)$/ or die "Illegal pkgnum";
 $pkgnum = $1;
 
 #untaint reasonnum
 my $reasonnum = $cgi->param('reasonnum');
-$reasonnum =~ /^(-?\d+)$/ || die "Illegal reasonnum";
+$reasonnum =~ /^(-?\d+)$/ or die "Illegal reasonnum";
 $reasonnum = $1;
 
 my $date = time;
 if ($method eq 'expire' || $method eq 'adjourn'){
   #untaint date
   $date = $cgi->param('date');
-  str2time($cgi->param('date')) =~ /^(\d+)$/ || die "Illegal date";
+  str2time($cgi->param('date')) =~ /^(\d+)$/ or die "Illegal date";
   $date = $1;
 }
 

diff --git a/httemplate/misc/process/catchall.cgi b/httemplate/misc/process/catchall.cgi
index f2899c7..0dda2ea 100755 (executable)
--- a/httemplate/misc/process/catchall.cgi
+++ b/httemplate/misc/process/catchall.cgi
@@ -1,34 +1,35 @@
-%
-%
-%$FS::svc_domain::whois_hack=1;
-%
-%$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
-%my $svcnum =$1;
-%
-%my $old = qsearchs('svc_domain',{'svcnum'=>$svcnum}) if $svcnum;
-%
-%my $new = new FS::svc_domain ( {
-%  map {
-%    ($_, scalar($cgi->param($_)));
-%  } ( fields('svc_domain'), qw( pkgnum svcpart ) )
-%} );
-%
-%$new->setfield('action' => 'M');
-%
-%my $error;
-%if ( $svcnum ) {
-%  $error = $new->replace($old);
-%} else {
-%  $error = $new->insert;
-%  $svcnum = $new->getfield('svcnum');
-%} 
-%
 %if ($error) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "catchall.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "catchall.cgi?". $cgi->query_string ) %>
 %} else {
-%  print $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum");
+<% $cgi->redirect(popurl(3). "view/svc_domain.cgi?$svcnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain catchall');
+
+$FS::svc_domain::whois_hack=1;
+
+$cgi->param('svcnum') =~ /^(\d*)$/ or die "Illegal svcnum!";
+my $svcnum =$1;
+
+my $old = qsearchs('svc_domain',{'svcnum'=>$svcnum}) if $svcnum;
+
+my $new = new FS::svc_domain ( {
+  map {
+    ($_, scalar($cgi->param($_)));
+  } ( fields('svc_domain'), qw( pkgnum svcpart ) )
+} );
+
+$new->setfield('action' => 'M');
+
+my $error;
+if ( $svcnum ) {
+  $error = $new->replace($old);
+} else {
+  $error = $new->insert;
+  $svcnum = $new->getfield('svcnum');
+} 
 
+</%init>

diff --git a/httemplate/misc/process/cdr-import.html b/httemplate/misc/process/cdr-import.html
index 93137c3..4848fa3 100644 (file)
--- a/httemplate/misc/process/cdr-import.html
+++ b/httemplate/misc/process/cdr-import.html
@@ -1,30 +1,22 @@
-%
-%
-%  my $fh = $cgi->upload('csvfile');
-%
-%  my $error = defined($fh)
-%    ? FS::cdr::batch_import( {
-%        'filehandle' => $fh,
-%        'format'     => $cgi->param('format'),
-%      } )
-%    : 'No file';
-%
-%  if ( $error ) {
-%    
-
-    <!-- mason kludge -->
-%
-% errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import.cgi
-%  } else {
-%    
-
-    <!-- mason kludge -->
+% if ( $error ) {
+%   errorpage($error);
+% } else {
     <% include("/elements/header.html",'Import successful') %>
     <!-- XXX redirect to batch search like the payment entry... -->
     <% include("/elements/footer.html",'Import successful') %> 
-%
-%  }
-%
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+my $fh = $cgi->upload('csvfile');
+
+my $error = defined($fh)
+  ? FS::cdr::batch_import( {
+      'filehandle' => $fh,
+      'format'     => $cgi->param('format'),
+    } )
+  : 'No file';
 
+</%init>

diff --git a/httemplate/misc/process/cust_main-import.cgi b/httemplate/misc/process/cust_main-import.cgi
index c8d1b6c..aa8cd52 100644 (file)
--- a/httemplate/misc/process/cust_main-import.cgi
+++ b/httemplate/misc/process/cust_main-import.cgi
@@ -1,35 +1,28 @@
-%
-%
-%  my $fh = $cgi->upload('csvfile');
-%  #warn $cgi;
-%  #warn $fh;
-%
-%  my $error = defined($fh)
-%    ? FS::cust_main::batch_import( {
-%        filehandle => $fh,
-%        agentnum   => scalar($cgi->param('agentnum')),
-%        refnum     => scalar($cgi->param('refnum')),
-%        pkgpart    => scalar($cgi->param('pkgpart')),
-%        #'fields'    => [qw( cust_pkg.setup dayphone first last address1 address2
-%        #                   city state zip comments                          )],
-%        'format'   => scalar($cgi->param('format')),
-%      } )
-%    : 'No file';
-%
-%  if ( $error ) {
-%    
-
-    <!-- mason kludge -->
-%
-% errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import.cgi
+% if ( $error ) {
+%   errorpage($error);
 %  } else {
-%    
-
-    <!-- mason kludge -->
-    <% include("/elements/header.html",'Import successful') %> 
-%
+    <% include('/elements/header.html','Import successful') %> 
+    <% include('/elements/footer.html') %> 
 %  }
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+my $fh = $cgi->upload('csvfile');
+#warn $cgi;
+#warn $fh;
+
+my $error = defined($fh)
+  ? FS::cust_main::batch_import( {
+      filehandle => $fh,
+      agentnum   => scalar($cgi->param('agentnum')),
+      refnum     => scalar($cgi->param('refnum')),
+      pkgpart    => scalar($cgi->param('pkgpart')),
+      #'fields'    => [qw( cust_pkg.setup dayphone first last address1 address2
+      #                   city state zip comments                          )],
+      'format'   => scalar($cgi->param('format')),
+    } )
+  : 'No file';
 
+</%init>

diff --git a/httemplate/misc/process/cust_main-import_charges.cgi b/httemplate/misc/process/cust_main-import_charges.cgi
index 1a29bf6..3ca6894 100644 (file)
--- a/httemplate/misc/process/cust_main-import_charges.cgi
+++ b/httemplate/misc/process/cust_main-import_charges.cgi
@@ -1,30 +1,23 @@
-%
-%
-%  my $fh = $cgi->upload('csvfile');
-%  #warn $cgi;
-%  #warn $fh;
-%
-%  my $error = defined($fh)
-%    ? FS::cust_main::batch_charge( {
-%        filehandle => $fh,
-%        'fields'    => [qw( custnum amount pkg )],
-%      } )
-%    : 'No file';
-%
-%  if ( $error ) {
-%    
-
-    <!-- mason kludge -->
-%
-% errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import_charges.cgi
+% if ( $error ) {
+%   errorpage($error);
 %  } else {
-%    
-
-    <!-- mason kludge -->
-    <% include("/elements/header.html",'Import successful') %> 
-%
+     <% include('/elements/header.html','Import successful') %> 
+     <% include('/elements/footer.html') %> 
 %  }
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+my $fh = $cgi->upload('csvfile');
+#warn $cgi;
+#warn $fh;
+
+my $error = defined($fh)
+  ? FS::cust_main::batch_charge( {
+      filehandle => $fh,
+      'fields'    => [qw( custnum amount pkg )],
+    } )
+  : 'No file';
 
+</%init>

diff --git a/httemplate/misc/process/delete-customer.cgi b/httemplate/misc/process/delete-customer.cgi
index d0d237e..d509a5e 100755 (executable)
--- a/httemplate/misc/process/delete-customer.cgi
+++ b/httemplate/misc/process/delete-customer.cgi
@@ -1,30 +1,33 @@
-%
-%
-%my $conf = new FS::Conf;
-%die "Customer deletions not enabled" unless $conf->exists('deletecustomers');
-%
-%$cgi->param('custnum') =~ /^(\d+)$/;
-%my $custnum = $1;
-%my $new_custnum;
-%if ( $cgi->param('new_custnum') ) {
-%  $cgi->param('new_custnum') =~ /^(\d+)$/
-%    or die "Illegal new customer number: ". $cgi->param('new_custnum');
-%  $new_custnum = $1;
-%} else {
-%  $new_custnum = '';
-%}
-%my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } )
-%  or die "Customer not found: $custnum";
-%
-%my $error = $cust_main->delete($new_custnum);
-%
 %if ( $error ) {
 %  $cgi->param('error', $error);
-%  print $cgi->redirect(popurl(2). "delete-customer.cgi?". $cgi->query_string );
+<% $cgi->redirect(popurl(2). "delete-customer.cgi?". $cgi->query_string ) %>
 %} elsif ( $new_custnum ) {
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$new_custnum");
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?$new_custnum") %>
 %} else {
-%  print $cgi->redirect(popurl(3));
+<% $cgi->redirect(popurl(3)) %>
 %}
-%
+<%init>
+
+my $conf = new FS::Conf;
+die "Customer deletions not enabled in configuration"
+  unless $conf->exists('deletecustomers');
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete customer');
+
+$cgi->param('custnum') =~ /^(\d+)$/;
+my $custnum = $1;
+my $new_custnum;
+if ( $cgi->param('new_custnum') ) {
+  $cgi->param('new_custnum') =~ /^(\d+)$/
+    or die "Illegal new customer number: ". $cgi->param('new_custnum');
+  $new_custnum = $1;
+} else {
+  $new_custnum = '';
+}
+my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } )
+  or die "Customer not found: $custnum";
+
+my $error = $cust_main->delete($new_custnum);
 
+</%init>

diff --git a/httemplate/misc/process/inventory_item-import.html b/httemplate/misc/process/inventory_item-import.html
index 5133752..3aae202 100644 (file)
--- a/httemplate/misc/process/inventory_item-import.html
+++ b/httemplate/misc/process/inventory_item-import.html
@@ -1,31 +1,22 @@
-%
-%
-%  my $fh = $cgi->upload('filename');
-%
-%  my $error = defined($fh)
-%    ? FS::inventory_item::batch_import( {
-%        'filehandle' => $fh,
-%        'classnum'   => $cgi->param('classnum'),
-%      } )
-%    : 'No file';
-%
-%  if ( $error ) {
-%    
-
-    <!-- mason kludge -->
-%
-% errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import.cgi
-%  } else {
-%    
-
-    <!-- mason kludge -->
+% if ( $error ) {
+%   errorpage($error);
+% } else {
     <% include("/elements/header.html",'Import successful') %>
     <!-- XXX redirect to batch search like the payment entry... -->
     <% include("/elements/footer.html",'Import successful') %> 
-%
 %  }
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+my $fh = $cgi->upload('filename');
 
+my $error = defined($fh)
+  ? FS::inventory_item::batch_import( {
+      'filehandle' => $fh,
+      'classnum'   => $cgi->param('classnum'),
+    } )
+  : 'No file';
 
+</%init>

diff --git a/httemplate/misc/process/link.cgi b/httemplate/misc/process/link.cgi
index 66f4ee1..9603267 100755 (executable)
--- a/httemplate/misc/process/link.cgi
+++ b/httemplate/misc/process/link.cgi
@@ -1,76 +1,72 @@
-%
-%
-%my $DEBUG = 0;
-%
-%$cgi->param('pkgnum') =~ /^(\d+)$/;
-%my $pkgnum = $1;
-%$cgi->param('svcpart') =~ /^(\d+)$/;
-%my $svcpart = $1;
-%$cgi->param('svcnum') =~ /^(\d*)$/;
-%my $svcnum = $1;
-%
-%unless ( $svcnum ) {
-%  my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  my $svcdb = $part_svc->getfield('svcdb');
-%  $cgi->param('link_field') =~ /^(\w+)$/;
-%  my $link_field = $1;
-%  my %search = ( $link_field => $cgi->param('link_value') );
-%  if ( $cgi->param('link_field2') =~ /^(\w+)$/ ) {
-%    $search{$1} = $cgi->param('link_value2');
-%  }
-%
-%  my @svc_x = ( sort { ($a->cust_svc->pkgnum > 0) <=> ($b->cust_svc->pkgnum > 0)
-%                       or ($b->cust_svc->svcpart == $svcpart)
-%                            <=> ($a->cust_svc->svcpart == $svcpart)
-%                     }
-%                     qsearch( $svcdb, \%search )
-%              );
-%
-%  if ( $DEBUG ) {
-%    warn scalar(@svc_x). " candidate accounts found for linking ".
-%         "(svcpart $svcpart):\n";
-%    foreach my $svc_x ( @svc_x ) {
-%      warn "  ". $svc_x->email.
-%           " (svcnum ". $svc_x->svcnum. ",".
-%           " pkgnum ".  $svc_x->cust_svc->pkgnum. ",".
-%           " svcpart ". $svc_x->cust_svc->svcpart. ")\n";
-%    }
-%  }
-%
-%  my $svc_x = $svc_x[0];
-%
-%  errorpage("$link_field not found!") unless $svc_x;
-%
-%  $svcnum = $svc_x->svcnum;
-%
-%}
-%
-%my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum});
-%die "svcnum not found!" unless $old;
-%my $conf = new FS::Conf;
-%my($error, $new);
-%if ( $old->pkgnum && ! $conf->exists('legacy_link-steal') ) {
-%  $error = "svcnum $svcnum already linked to package ". $old->pkgnum;
-%} else {
-%  $new = new FS::cust_svc { $old->hash };
-%  $new->pkgnum($pkgnum);
-%  $new->svcpart($svcpart);
-%
-%  $error = $new->replace($old);
-%}
-%
 %unless ($error) {
 %  #no errors, so let's view this customer.
 %  my $custnum = $new->cust_pkg->custnum;
-%  print $cgi->redirect(popurl(3). "view/cust_main.cgi?$custnum".
-%                       "#cust_pkg$pkgnum" );
+<% $cgi->redirect(popurl(3). "view/cust_main.cgi?<%$custnum%>#cust_pkg<%$pkgnum%>" ) %>
 %} else {
-%
-
-<!-- mason kludge -->
-%
 % errorpage($error);
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services');
+
+my $DEBUG = 0;
+
+$cgi->param('pkgnum') =~ /^(\d+)$/;
+my $pkgnum = $1;
+$cgi->param('svcpart') =~ /^(\d+)$/;
+my $svcpart = $1;
+$cgi->param('svcnum') =~ /^(\d*)$/;
+my $svcnum = $1;
+
+unless ( $svcnum ) {
+  my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
+  my $svcdb = $part_svc->getfield('svcdb');
+  $cgi->param('link_field') =~ /^(\w+)$/;
+  my $link_field = $1;
+  my %search = ( $link_field => $cgi->param('link_value') );
+  if ( $cgi->param('link_field2') =~ /^(\w+)$/ ) {
+    $search{$1} = $cgi->param('link_value2');
+  }
+
+  my @svc_x = ( sort { ($a->cust_svc->pkgnum > 0) <=> ($b->cust_svc->pkgnum > 0)
+                       or ($b->cust_svc->svcpart == $svcpart)
+                            <=> ($a->cust_svc->svcpart == $svcpart)
+                     }
+                     qsearch( $svcdb, \%search )
+              );
+
+  if ( $DEBUG ) {
+    warn scalar(@svc_x). " candidate accounts found for linking ".
+         "(svcpart $svcpart):\n";
+    foreach my $svc_x ( @svc_x ) {
+      warn "  ". $svc_x->email.
+           " (svcnum ". $svc_x->svcnum. ",".
+           " pkgnum ".  $svc_x->cust_svc->pkgnum. ",".
+           " svcpart ". $svc_x->cust_svc->svcpart. ")\n";
+    }
+  }
+
+  my $svc_x = $svc_x[0];
+
+  errorpage("$link_field not found!") unless $svc_x;
+
+  $svcnum = $svc_x->svcnum;
+
+}
+
+my $old = qsearchs('cust_svc',{'svcnum'=>$svcnum});
+die "svcnum not found!" unless $old;
+my $conf = new FS::Conf;
+my($error, $new);
+if ( $old->pkgnum && ! $conf->exists('legacy_link-steal') ) {
+  $error = "svcnum $svcnum already linked to package ". $old->pkgnum;
+} else {
+  $new = new FS::cust_svc { $old->hash };
+  $new->pkgnum($pkgnum);
+  $new->svcpart($svcpart);
+
+  $error = $new->replace($old);
+}
 
+</%init>

diff --git a/httemplate/misc/process/meta-import.cgi b/httemplate/misc/process/meta-import.cgi
index 1cf178c..68ae49c 100644 (file)
--- a/httemplate/misc/process/meta-import.cgi
+++ b/httemplate/misc/process/meta-import.cgi
@@ -1,4 +1,3 @@
-<!-- mason kludge -->
 <% include("/elements/header.html",'Map tables') %>
 
 <SCRIPT>
@@ -183,5 +182,9 @@ function SafeOnsubmit() {
 %
 %
 <%init>
-die "meta-import script not currently enabled"; #make XSS-safe if this is used for more than just admins to import data....
+
+#there's no ACL for this...  haven't used in ages
+#make XSS-safe if this is used for more than just admins to import data....
+die 'meta-import not enabled; remove this if you want to use it';
+
 </%init>

diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi
index 889670d..2baca1e 100644 (file)
--- a/httemplate/misc/process/payment.cgi
+++ b/httemplate/misc/process/payment.cgi
@@ -15,6 +15,9 @@
 % }
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Process payment');
+
 #some false laziness w/MyAccount::process_payment
 
 $cgi->param('custnum') =~ /^(\d+)$/

diff --git a/httemplate/misc/process/recharge_svc.html b/httemplate/misc/process/recharge_svc.html
index e540c38..147b953 100755 (executable)
--- a/httemplate/misc/process/recharge_svc.html
+++ b/httemplate/misc/process/recharge_svc.html
@@ -1,31 +1,3 @@
-%
-%
-%#untaint svcnum
-%my $svcnum = $cgi->param('svcnum');
-%$svcnum =~ /^(\d+)$/ || die "Illegal svcnum";
-%$svcnum = $1;
-%
-%#untaint prepaid
-%my $prepaid = $cgi->param('prepaid');
-%$prepaid =~ /^(\w*)$/;
-%$prepaid = $1;
-
-%#untaint payby
-%my $payby = $cgi->param('payby');
-%$payby =~ /^([A-Z]*)$/;
-%$payby = $1;
-%
-%my $error = '';
-%my $svc_acct = qsearchs( 'svc_acct', {'svcnum'=>$svcnum} );
-%$error = "Can't recharge service $svcnum. " unless $svc_acct;
-%
-%my $cust_main = $svc_acct->cust_svc->cust_pkg->cust_main;
-%
-%my $oldAutoCommit = $FS::UID::AutoCommit;
-%local $FS::UID::AutoCommit = 0;
-%my $dbh = dbh;
-%
-%
 %unless ($error) {
 %
 %  my ($amount, $seconds, $up, $down, $total) = (0, 0, 0, 0, 0);
@@ -86,5 +58,35 @@
   </SCRIPT>
   </BODY></HTML>
 <%init>
+
 my $conf = new FS::Conf;
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Recharge customer service');
+
+#untaint svcnum
+my $svcnum = $cgi->param('svcnum');
+$svcnum =~ /^(\d+)$/ || die "Illegal svcnum";
+$svcnum = $1;
+
+#untaint prepaid
+my $prepaid = $cgi->param('prepaid');
+$prepaid =~ /^(\w*)$/;
+$prepaid = $1;
+
+#untaint payby
+my $payby = $cgi->param('payby');
+$payby =~ /^([A-Z]*)$/;
+$payby = $1;
+
+my $error = '';
+my $svc_acct = qsearchs( 'svc_acct', {'svcnum'=>$svcnum} );
+$error = "Can't recharge service $svcnum. " unless $svc_acct;
+
+my $cust_main = $svc_acct->cust_svc->cust_pkg->cust_main;
+
+my $oldAutoCommit = $FS::UID::AutoCommit;
+local $FS::UID::AutoCommit = 0;
+my $dbh = dbh;
+
 </%init>

diff --git a/httemplate/misc/queue.cgi b/httemplate/misc/queue.cgi
index 7370aab..5dee29b 100644 (file)
--- a/httemplate/misc/queue.cgi
+++ b/httemplate/misc/queue.cgi
@@ -1,48 +1,49 @@
-%
-%
-%$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/
-%  or die "Illegal action";
-%my $action = $1;
-%
-%my $job;
-%if ( $action eq 'new' || $action eq 'del' ) {
-%  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum";
-%  my $jobnum = $1;
-%  $job = qsearchs('queue', { 'jobnum' => $1 })
-%    or die "unknown jobnum $jobnum - ".
-%           "it probably completed normally or was removed by another user";
-%}
-%
-%if ( $action eq 'new' ) {
-%  my %hash = $job->hash;
-%  $hash{'status'} = 'new';
-%  $hash{'statustext'} = '';
-%  my $new = new FS::queue \%hash;
-%  my $error = $new->replace($job);
-%  die $error if $error;
-%} elsif ( $action eq 'del' ) {
-%  my $error = $job->delete;
-%  die $error if $error;
-%} elsif ( $action =~ /^(retry|remove) selected$/ ) {
-%  foreach my $jobnum (
-%    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param
-%  ) {
-%    my $job = qsearchs('queue', { 'jobnum' => $jobnum });
-%    if ( $action eq 'retry selected' && $job ) { #new
-%      my %hash = $job->hash;
-%      $hash{'status'} = 'new';
-%      $hash{'statustext'} = '';
-%      my $new = new FS::queue \%hash;
-%      my $error = $new->replace($job);
-%      die $error if $error;
-%    } elsif ( $action eq 'remove selected' && $job ) { #del
-%      my $error = $job->delete;
-%      die $error if $error;
-%    }
-%  }
-%}
-%
-%print $cgi->redirect(popurl(2). "search/queue.html");
-%
-%
+<% $cgi->redirect(popurl(2). "search/queue.html") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Job queue');
+
+$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/
+  or die "Illegal action";
+my $action = $1;
+
+my $job;
+if ( $action eq 'new' || $action eq 'del' ) {
+  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum";
+  my $jobnum = $1;
+  $job = qsearchs('queue', { 'jobnum' => $1 })
+    or die "unknown jobnum $jobnum - ".
+           "it probably completed normally or was removed by another user";
+}
+
+if ( $action eq 'new' ) {
+  my %hash = $job->hash;
+  $hash{'status'} = 'new';
+  $hash{'statustext'} = '';
+  my $new = new FS::queue \%hash;
+  my $error = $new->replace($job);
+  die $error if $error;
+} elsif ( $action eq 'del' ) {
+  my $error = $job->delete;
+  die $error if $error;
+} elsif ( $action =~ /^(retry|remove) selected$/ ) {
+  foreach my $jobnum (
+    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param
+  ) {
+    my $job = qsearchs('queue', { 'jobnum' => $jobnum });
+    if ( $action eq 'retry selected' && $job ) { #new
+      my %hash = $job->hash;
+      $hash{'status'} = 'new';
+      $hash{'statustext'} = '';
+      my $new = new FS::queue \%hash;
+      my $error = $new->replace($job);
+      die $error if $error;
+    } elsif ( $action eq 'remove selected' && $job ) { #del
+      my $error = $job->delete;
+      die $error if $error;
+    }
+  }
+}
+
+</%init>

diff --git a/httemplate/misc/recharge_svc.html b/httemplate/misc/recharge_svc.html
index a3de13d..2302f3f 100755 (executable)
--- a/httemplate/misc/recharge_svc.html
+++ b/httemplate/misc/recharge_svc.html
@@ -28,7 +28,7 @@
 </TR>
 <TR>
   <TD>Enter prepaid card: </TD>
-  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD>
+  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid |h %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD>
 </TR>
 
 </TABLE>
@@ -37,35 +37,42 @@
 <INPUT TYPE="submit" NAME="submit" VALUE="Recharge">
 
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html');
 
 <%once>
+
 my $conf = new FS::Conf;
 my $money_char = $conf->config('money_char') || '$';
+
 </%once>
 <%init>
-my($svcnum, $cust_svc, $part_pkg, $label, $value, $prepaid, $amount, $payby); 
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Recharge customer service');
+
+my($svcnum, $prepaid, $payby); 
 if ( $cgi->param('error') ) {
   $svcnum        = $cgi->param('svcnum');
   $prepaid       = $cgi->param('prepaid');
   $payby         = $cgi->param('payby');
 } elsif ( $cgi->param('svcnum') =~ /^(\d+)$/ ) {
   $svcnum  = $1;
+  $prepaid = '';
 } else {
   die "illegal query ". $cgi->keywords;
 }
 
 my $title = 'Recharge Service';
 
-$cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum});
+my $cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum});
 die "No such service: $svcnum" unless $cust_svc;
 
-($label, $value) = $cust_svc->label;
+my($label, $value) = $cust_svc->label;
 
 $payby = $cust_svc->cust_pkg->cust_main->payby unless $payby;
-$part_pkg = $cust_svc->cust_pkg->part_pkg;
-$amount = $part_pkg->option('recharge_amount', 1) || 0;
+my $part_pkg = $cust_svc->cust_pkg->part_pkg;
+my $amount = $part_pkg->option('recharge_amount', 1) || 0;
 
 my $recharge_label = "Charge $money_char$amount for ";
 

diff --git a/httemplate/misc/svc_acct-domains.cgi b/httemplate/misc/svc_acct-domains.cgi
index a49a023..5734574 100644 (file)
--- a/httemplate/misc/svc_acct-domains.cgi
+++ b/httemplate/misc/svc_acct-domains.cgi
@@ -1,31 +1,31 @@
-%
-%
-%  my $pkgpart_svcpart = $cgi->param('arg');
-%  $pkgpart_svcpart =~ /^\d+_(\d+)$/;
-%  my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1;
-%  my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc;
-%
-%  my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column;
-%  my $columnflag = $part_svc_column->columnflag if $part_svc_column;
-%  my @svc_domain = ();
-%  my %seen = ();
-%  
-%  foreach (@output) {
-%    my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ })
-%      or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ".
-%         "svcpart = " . $part_svc->svcpart;
-%    push @svc_domain, [ $_ => $svc_domain->domain ];
-%    $seen{$_}++;
-%  }
-%  if ($conf->exists('svc_acct-alldomains')
-%       && ( $columnflag eq 'D' || $columnflag eq '' )
-%     ) {
-%    foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){
-%      push @svc_domain, [ $_->svcnum => $_->domain ];
-%    }
-%  }
-%
 [ <% join(', ', map { qq("$_->[0]", "$_->[1]") } @svc_domain) %> ]
 <%init>
+
 my $conf = new FS::Conf;
+
+my $pkgpart_svcpart = $cgi->param('arg');
+$pkgpart_svcpart =~ /^\d+_(\d+)$/;
+my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1;
+my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc;
+
+my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column;
+my $columnflag = $part_svc_column->columnflag if $part_svc_column;
+my @svc_domain = ();
+my %seen = ();
+
+foreach (@output) {
+  my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ })
+    or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ".
+       "svcpart = " . $part_svc->svcpart;
+  push @svc_domain, [ $_ => $svc_domain->domain ];
+  $seen{$_}++;
+}
+if ($conf->exists('svc_acct-alldomains')
+     && ( $columnflag eq 'D' || $columnflag eq '' )
+   ) {
+  foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){
+    push @svc_domain, [ $_->svcnum => $_->domain ];
+  }
+}
+
 </%init>

diff --git a/httemplate/misc/unapply-cust_credit.cgi b/httemplate/misc/unapply-cust_credit.cgi
index f8fa632..ed739ac 100755 (executable)
--- a/httemplate/misc/unapply-cust_credit.cgi
+++ b/httemplate/misc/unapply-cust_credit.cgi
@@ -1,19 +1,20 @@
-%
-%
-%#untaint crednum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal crednum";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } );
-%my $custnum = $cust_credit->custnum;
-%
-%foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) {
-%  my $error = $cust_credit_bill->delete;
-%  errorpage($error) if $error;
-%}
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unapply credit');
+
+#untaint crednum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal crednum";
+my $crednum = $1;
+
+my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } );
+my $custnum = $cust_credit->custnum;
+
+foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) {
+  my $error = $cust_credit_bill->delete;
+  errorpage($error) if $error;
+}
+
+</%init>

diff --git a/httemplate/misc/unapply-cust_pay.cgi b/httemplate/misc/unapply-cust_pay.cgi
index 6bd6c07..8cdac18 100755 (executable)
--- a/httemplate/misc/unapply-cust_pay.cgi
+++ b/httemplate/misc/unapply-cust_pay.cgi
@@ -1,19 +1,20 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } );
-%my $custnum = $cust_pay->custnum;
-%
-%foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) {
-%  my $error = $cust_bill_pay->delete;
-%  errorpage($error) if $error;
-%}
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unapply payment');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } );
+my $custnum = $cust_pay->custnum;
+
+foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) {
+  my $error = $cust_bill_pay->delete;
+  errorpage($error) if $error;
+}
+
+</%init>

diff --git a/httemplate/misc/unprovision.cgi b/httemplate/misc/unprovision.cgi
index b5e5106..4ab15fd 100755 (executable)
--- a/httemplate/misc/unprovision.cgi
+++ b/httemplate/misc/unprovision.cgi
@@ -1,31 +1,26 @@
-%
-%
-%my $dbh = dbh;
-% 
-%#untaint svcnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/;
-%my $svcnum = $1;
-%
-%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
-%#die "Unknown svcnum!" unless $svc_acct;
-%
-%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
-%die "Unknown svcnum!" unless $cust_svc;
-%
-%my $custnum = $cust_svc->cust_pkg->custnum;
-%
-%my $error = $cust_svc->cancel;
-%
 %if ( $error ) {
-%  
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service');
+
+#untaint svcnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/;
+my $svcnum = $1;
+
+#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
+#die "Unknown svcnum!" unless $svc_acct;
+
+my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
+die "Unknown svcnum!" unless $cust_svc;
+
+my $custnum = $cust_svc->cust_pkg->custnum;
+
+my $error = $cust_svc->cancel;
 
+</%init>

diff --git a/httemplate/misc/unsusp_pkg.cgi b/httemplate/misc/unsusp_pkg.cgi
index 80188c6..b350693 100755 (executable)
--- a/httemplate/misc/unsusp_pkg.cgi
+++ b/httemplate/misc/unsusp_pkg.cgi
@@ -1,16 +1,20 @@
-%
-%
-%#untaint pkgnum
-%my ($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal pkgnum";
-%my $pkgnum = $1;
-%
-%my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%
-%my $error = $cust_pkg->unsuspend;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum'));
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum')) %>
+%}
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unsuspend customer package');
+
+#untaint pkgnum
+my ($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal pkgnum";
+my $pkgnum = $1;
+
+my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+
+my $error = $cust_pkg->unsuspend;
+
+</%init>

diff --git a/httemplate/misc/unvoid-cust_pay_void.cgi b/httemplate/misc/unvoid-cust_pay_void.cgi
index 625431a..91fe1c2 100755 (executable)
--- a/httemplate/misc/unvoid-cust_pay_void.cgi
+++ b/httemplate/misc/unvoid-cust_pay_void.cgi
@@ -1,17 +1,21 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } );
-%my $custnum = $cust_pay_void->custnum;
-%
-%my $error = $cust_pay_void->unvoid;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+%}
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unvoid');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
+
+my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } );
+my $custnum = $cust_pay_void->custnum;
+
+my $error = $cust_pay_void->unvoid;
+
+</%init>

diff --git a/httemplate/misc/upload-batch.cgi b/httemplate/misc/upload-batch.cgi
index 5a15008..d1a84fd 100644 (file)
--- a/httemplate/misc/upload-batch.cgi
+++ b/httemplate/misc/upload-batch.cgi
@@ -1,17 +1,14 @@
-%  if ( $error ) {
-
-    <!-- mason kludge -->
-
-%    errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import.cgi
-%  } else {
-
-    <% include("/elements/header.html",'Batch results upload successful') %> 
-
-%  }
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+    <% include('/elements/header.html','Batch results upload successful') %> 
+    <% include('/elements/footer.html') %> 
+% }
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Process batches');
+
 my $error;
 
 my $fh = $cgi->upload('batch_results');

diff --git a/httemplate/misc/void-cust_pay.cgi b/httemplate/misc/void-cust_pay.cgi
index 972a1a5..7b484e9 100755 (executable)
--- a/httemplate/misc/void-cust_pay.cgi
+++ b/httemplate/misc/void-cust_pay.cgi
@@ -1,17 +1,26 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
-%my $custnum = $cust_pay->custnum;
-%
-%my $error = $cust_pay->void;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+%}
+<%init>
 
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
+
+my $right = 'Regular void';
+$right = 'Credit card void' if $cust_pay->payby eq 'CARD';
+$right = 'Echeck void'      if $cust_pay->payby eq 'CHEK';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right($right);
+
+my $custnum = $cust_pay->custnum;
+
+my $error = $cust_pay->void;
+
+</%init>

diff --git a/httemplate/misc/whois.cgi b/httemplate/misc/whois.cgi
index d3d9649..35d0ecc 100644 (file)
--- a/httemplate/misc/whois.cgi
+++ b/httemplate/misc/whois.cgi
@@ -1,10 +1,3 @@
-%
-%  my $svcnum = $cgi->param('svcnum');
-%  my $custnum = $cgi->param('custnum');
-%  my $domain = $cgi->param('domain');
-%
-%
-
 <% include("/elements/header.html","Whois $domain", menubar(
   ( $custnum
     ? ( "View this customer (#$custnum)" => "${p}view/cust_main.cgi?$custnum",
@@ -12,16 +5,23 @@
     : ()
   ),
   "View this domain (#$svcnum)" => "${p}view/svc_domain.cgi?$svcnum",
-  "Main menu" => $p,
 )) %>
-% my $whois = eval { whois($domain) };
-%   if ( $@ ) {
-%     ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s;
-%   } else {
-%     $whois =~ s/^\n+//;
-%   }
-%
 
 <PRE><% $whois %></PRE>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+my $svcnum = $cgi->param('svcnum');
+my $custnum = $cgi->param('custnum');
+my $domain = $cgi->param('domain');
+
+my $whois = eval { whois($domain) };
+  if ( $@ ) {
+    ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s;
+  } else {
+    $whois =~ s/^\n+//;
+  }
+
+</%init>