From edb7652d50dcbabc4ec066a78ae8f65a4a7b5d24 Mon Sep 17 00:00:00 2001 From: ivan Date: Thu, 17 Jan 2008 04:23:14 +0000 Subject: [PATCH] fix ACLs to allow the limited "package editing" of customizing customer packages --- httemplate/edit/part_pkg.cgi | 12 ++++++++---- httemplate/edit/process/part_pkg.cgi | 15 +++++++++++---- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/httemplate/edit/part_pkg.cgi b/httemplate/edit/part_pkg.cgi index 7e7944871..ec001cb0c 100755 --- a/httemplate/edit/part_pkg.cgi +++ b/httemplate/edit/part_pkg.cgi @@ -243,6 +243,7 @@ Line-item revenue recognition % delete $freq{$_} foreach grep { ! /^\d+$/ } keys %freq; %} % +%#this should be replaced by /elements/selectlayers.html %my $widget = new HTML::Widgets::SelectLayers( % 'selected_layer' => $part_pkg->plan, % 'options' => \%options, @@ -363,10 +364,6 @@ Line-item revenue recognition <% include('/elements/footer.html') %> <%init> -die "access denied" - unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions') - || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions'); - if ( $cgi->param('clone') && $cgi->param('clone') =~ /^(\d+)$/ ) { $cgi->param('clone', $1); } else { @@ -378,6 +375,13 @@ if ( $cgi->param('pkgnum') && $cgi->param('pkgnum') =~ /^(\d+)$/ ) { $cgi->param('pkgnum', ''); } +my $curuser = $FS::CurrentUser::CurrentUser; + +die "access denied" + unless $curuser->access_right('Edit package definitions') + || $curuser->access_right('Edit global package definitions') + || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') ); + my ($query) = $cgi->keywords; my $conf = new FS::Conf; diff --git a/httemplate/edit/process/part_pkg.cgi b/httemplate/edit/process/part_pkg.cgi index d3d4f8510..2381e7fc9 100755 --- a/httemplate/edit/process/part_pkg.cgi +++ b/httemplate/edit/process/part_pkg.cgi @@ -11,10 +11,6 @@ %} <%init> -die "access denied" - unless $FS::CurrentUser::CurrentUser->access_right('Edit package definitions') - || $FS::CurrentUser::CurrentUser->access_right('Edit global package definitions'); - my $dbh = dbh; my $conf = new FS::Conf; @@ -70,6 +66,8 @@ my %pkg_svc = map { $_ => scalar($cgi->param("pkg_svc$_")) } map { $_->svcpart } qsearch('part_svc', {} ); +my $curuser = $FS::CurrentUser::CurrentUser; + my $custnum = ''; if ( $error ) { @@ -81,12 +79,21 @@ if ( $error ) { } elsif ( $pkgpart ) { + die "access denied" + unless $curuser->access_right('Edit package definitions') + || $curuser->access_right('Edit global package definitions'); + $error = $new->replace( $old, pkg_svc => \%pkg_svc, primary_svc => scalar($cgi->param('pkg_svc_primary')), ); } else { + die "access denied" + unless $curuser->access_right('Edit package definitions') + || $curuser->access_right('Edit global package definitions'); + || ( $cgi->param('pkgnum') && $curuser->access_right('Customize customer package') ); + $error = $new->insert( pkg_svc => \%pkg_svc, primary_svc => scalar($cgi->param('pkg_svc_primary')), cust_pkg => $cgi->param('pkgnum'), -- 2.11.0