From 66b55857d43110136cf85d57dbda0960cad29b32 Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Wed, 15 Aug 2012 23:12:58 -0700
Subject: [PATCH] separate ACL for merging customers across agents, RT#18939

---
 FS/FS/AccessRight.pm | 1 +
 FS/FS/cust_main.pm   | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/FS/FS/AccessRight.pm b/FS/FS/AccessRight.pm
index b41ec2fe2..e730bde82 100644
--- a/FS/FS/AccessRight.pm
+++ b/FS/FS/AccessRight.pm
@@ -117,6 +117,7 @@ tie my %rights, 'Tie::IxHash',
     'Cancel customer',
     'Complimentary customer', #aka users-allow_comp 
     'Merge customer',
+    'Merge customer across agents',
     { rightname=>'Delete customer', desc=>"Enable customer deletions. Be very careful! Deleting a customer will remove all traces that this customer ever existed! It should probably only be used when auditing a legacy database. Normally, you cancel all of a customer's packages if they cancel service." }, #aka. deletecustomers
     'Bill customer now', #NEW
     'Bulk send customer notices', #NEW
diff --git a/FS/FS/cust_main.pm b/FS/FS/cust_main.pm
index 3742bfdad..fda82e45b 100644
--- a/FS/FS/cust_main.pm
+++ b/FS/FS/cust_main.pm
@@ -1245,9 +1245,12 @@ sub merge {
 
   return "Can't merge a customer into self" if $self->custnum == $new_custnum;
 
-  unless ( qsearchs( 'cust_main', { 'custnum' => $new_custnum } ) ) {
-    return "Invalid new customer number: $new_custnum";
-  }
+  my $new_cust_main = qsearchs( 'cust_main', { 'custnum' => $new_custnum } )
+    or return "Invalid new customer number: $new_custnum";
+
+  return 'Access denied: "Merge customer across agents" access right required to merge into a customer of a different agent'
+    if $self->agentnum != $new_cust_main->agentnum 
+    && ! $FS::CurrentUser::CurrentUser->access_right('Merge customer across agents');
 
   local $SIG{HUP} = 'IGNORE';
   local $SIG{INT} = 'IGNORE';
-- 
2.11.0