From: ivan <ivan>
Date: Sun, 12 Jul 2009 23:25:13 +0000 (+0000)
Subject: ACL on customer edit
X-Git-Tag: root_of_svc_elec_features~1037
X-Git-Url: http://git.freeside.biz/gitweb/?p=freeside.git;a=commitdiff_plain;h=76460e5ae2b453efdbf6930170095618bb254d91

ACL on customer edit
---

diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi
index 7308c72da..575131424 100755
--- a/httemplate/edit/cust_main.cgi
+++ b/httemplate/edit/cust_main.cgi
@@ -199,8 +199,12 @@ function samechanged(what) {
 
 <%init>
 
+my $curuser = $FS::CurrentUser::CurrentUser;
+
+#probably redundant given the checks below...
 die "access denied"
-  unless $FS::CurrentUser::CurrentUser->access_right('Edit customer');
+  unless $curuser->access_right('New customer')
+     ||  $curuser->access_right('Edit customer');
 
 my $conf = new FS::Conf;
 
@@ -219,6 +223,10 @@ if ( $cgi->param('error') ) {
   } );
 
   $custnum = $cust_main->custnum;
+
+  die "access denied"
+    unless $curuser->access_right($custnum ? 'Edit customer' : 'New customer');
+
   @invoicing_list = split( /\s*,\s*/, $cgi->param('invoicing_list') );
   $same = $cgi->param('same');
   $cust_main->setfield('paid' => $cgi->param('paid')) if $cgi->param('paid');
@@ -245,6 +253,9 @@ if ( $cgi->param('error') ) {
 
 } elsif ( $cgi->keywords ) { #editing
 
+  die "access denied"
+    unless $curuser->access_right('Edit customer');
+
   my( $query ) = $cgi->keywords;
   $query =~ /^(\d+)$/;
   $custnum=$1;
@@ -262,6 +273,9 @@ if ( $cgi->param('error') ) {
 
 } else { #new customer
 
+  die "access denied"
+    unless $curuser->access_right('New customer');
+
   $custnum='';
   $cust_main = new FS::cust_main ( {} );
   $cust_main->otaker( &getotaker );