From 524f46a00ec9610c82a519bea2469cb1711abc1b Mon Sep 17 00:00:00 2001 From: ivan Date: Wed, 3 Aug 2011 00:05:01 +0000 Subject: [PATCH] resolve inconsistency with posting payments then not having the ACL to view them: add "View payments" and "View refunds" rights, redirect payment/refund posting back to customer view if you cannot see the result --- FS/FS/AccessRight.pm | 2 ++ httemplate/misc/process/payment.cgi | 9 ++++++--- httemplate/search/elements/cust_pay_or_refund.html | 5 +++-- httemplate/view/cust_pay.html | 4 ++-- httemplate/view/cust_refund.html | 6 ++---- 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/FS/FS/AccessRight.pm b/FS/FS/AccessRight.pm index 458f9694e..4514ccbfd 100644 --- a/FS/FS/AccessRight.pm +++ b/FS/FS/AccessRight.pm @@ -186,6 +186,7 @@ tie my %rights, 'Tie::IxHash', # customer payment rights ### 'Customer payment rights' => [ + 'View payments', { rightname=>'Post payment', desc=>'Make check or cash payments.' }, 'Post check payment', 'Post cash payment', @@ -206,6 +207,7 @@ tie my %rights, 'Tie::IxHash', 'Apply credit', #NEWNEW { rightname=>'Unapply credit', desc=>'Enable "unapplication" of unclosed credits.' }, #aka unapplycredits { rightname=>'Delete credit', desc=>'Enable deletion of unclosed credits. Be very careful! Only delete credits that were data-entry errors, not adjustments.' }, #aka. deletecredits Optionally specify one or more comma-separated email addresses to be notified when a credit is deleted. + 'View refunds', { rightname=>'Post refund', desc=>'Enable posting of check and cash refunds.' }, 'Post check refund', 'Post cash refund', diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi index 9c8512785..5fa57e448 100644 --- a/httemplate/misc/process/payment.cgi +++ b/httemplate/misc/process/payment.cgi @@ -10,13 +10,16 @@ <% include('/elements/footer.html') %> -% } else { +% #2.5/2.7?# } elsif ( $curuser->access_right('View payments') ) { +% } elsif ( $curuser->access_right(['View invoices', 'View payments']) ) { <% $cgi->redirect(popurl(3). "view/cust_pay.html?paynum=$paynum" ) %> +% } else { +<% $cgi->redirect(popurl(3). "view/cust_main.html?custnum=$custnum" ) %> % } <%init> -die "access denied" - unless $FS::CurrentUser::CurrentUser->access_right('Process payment'); +my $curuser = $FS::CurrentUser::CurrentUser; +die "access denied" unless $curuser->access_right('Process payment'); #some false laziness w/MyAccount::process_payment diff --git a/httemplate/search/elements/cust_pay_or_refund.html b/httemplate/search/elements/cust_pay_or_refund.html index 8c32b79bd..002b1a4c2 100755 --- a/httemplate/search/elements/cust_pay_or_refund.html +++ b/httemplate/search/elements/cust_pay_or_refund.html @@ -74,8 +74,9 @@ $title = 'Unapplied ' if $unapplied; $title .= "\u$name_singular Search Results"; my $link = ''; -if ( ( $curuser->access_right('View invoices') #XXX for now - || $curuser->access_right('View customer payments') +if ( ( $curuser->access_right('View invoices') #remove in 2.5 (2.7?) + || ($curuser->access_right('View payments') && $table =~ /^cust_pay/) + || ($curuser->access_right('View refunds') && $table eq 'cust_refund') ) && ! $opt{'disable_link'} ) diff --git a/httemplate/view/cust_pay.html b/httemplate/view/cust_pay.html index c9b2d51b5..d02f1543d 100644 --- a/httemplate/view/cust_pay.html +++ b/httemplate/view/cust_pay.html @@ -134,8 +134,8 @@ my $curuser = $FS::CurrentUser::CurrentUser; die "access denied" - unless $curuser->access_right('View invoices') #remove this in 1.9 EVENTUALLY - || $curuser->access_right('View customer payments'); + unless $curuser->access_right('View invoices') #remove this in 2.5 (2.7?) + || $curuser->access_right('View payments'); $cgi->param('paynum') =~ /^(\d+)$/ or die "no paynum"; my $paynum = $1; diff --git a/httemplate/view/cust_refund.html b/httemplate/view/cust_refund.html index f19c61b1f..996b4c05a 100644 --- a/httemplate/view/cust_refund.html +++ b/httemplate/view/cust_refund.html @@ -105,10 +105,8 @@ my $curuser = $FS::CurrentUser::CurrentUser; die "access denied" - unless $curuser->access_right('View invoices') #remove this in 1.9 EVENTUALLY - || $curuser->access_right('View customer payments'); - #'View customer refunds' ??? - + unless $curuser->access_right('View invoices') #remove this in 2.5 (2.7?) + || $curuser->access_right('View refunds'); $cgi->param('refundnum') =~ /^(\d+)$/ or die "no refundnum"; my $refundnum = $1; -- 2.11.0