[freeside-commits] freeside/httemplate/misc batch-cust_pay.html, 1.9, 1.10 bill.cgi, 1.14, 1.15 cancel-unaudited.cgi, 1.12, 1.13 cancel_cust.html, 1.2, 1.3 cancel_pkg.html, 1.5, 1.6 catchall.cgi, 1.9, 1.10 cdr-import.html, 1.3, 1.4 cust_main-cancel.cgi, 1.6, 1.7 cust_main-import.cgi, 1.8, 1.9 cust_main-import_charges.cgi, 1.3, 1.4 delete-cust_credit.cgi, 1.3, 1.4 delete-cust_pay.cgi, 1.4, 1.5 delete-cust_refund.cgi, 1.2, 1.3 delete-customer.cgi, 1.11, 1.12 delete-domain_record.cgi, 1.3, 1.4 delete-part_export.cgi, 1.5, 1.6 dump.cgi, 1.4, 1.5 email-invoice.cgi, 1.6, 1.7 email_invoice_events.cgi, 1.4, 1.5 email_invoices.cgi, 1.5, 1.6 fax-invoice.cgi, 1.4, 1.5 fax_invoice_events.cgi, 1.4, 1.5 fax_invoices.cgi, 1.5, 1.6 inventory_item-import.html, 1.3, 1.4 link.cgi, 1.12, 1.13 meta-import.cgi, 1.4, 1.5 payment.cgi, 1.16, 1.17 print-invoice.cgi, 1.10, 1.11 print_invoice_events.cgi, 1.4, 1.5 print_invoices.cgi, 1.5, 1.6 queue.cgi, 1.5, 1.6 recharge_svc.html, 1.4, 1.5 svc_acct-domains.cgi, 1.3, 1.4 unapply-cust_credit.cgi, 1.3, 1.4 unapply-cust_pay.cgi, 1.4, 1.5 unprovision.cgi, 1.4, 1.5 unsusp_pkg.cgi, 1.6, 1.7 unvoid-cust_pay_void.cgi, 1.3, 1.4 upload-batch.cgi, 1.12, 1.13 void-cust_pay.cgi, 1.3, 1.4 whois.cgi, 1.3, 1.4

Ivan,,, ivan at wavetail.420.am
Sun Jan 13 13:14:21 PST 2008


Update of /home/cvs/cvsroot/freeside/httemplate/misc
In directory wavetail:/tmp/cvs-serv6645

Modified Files:
	batch-cust_pay.html bill.cgi cancel-unaudited.cgi 
	cancel_cust.html cancel_pkg.html catchall.cgi cdr-import.html 
	cust_main-cancel.cgi cust_main-import.cgi 
	cust_main-import_charges.cgi delete-cust_credit.cgi 
	delete-cust_pay.cgi delete-cust_refund.cgi delete-customer.cgi 
	delete-domain_record.cgi delete-part_export.cgi dump.cgi 
	email-invoice.cgi email_invoice_events.cgi email_invoices.cgi 
	fax-invoice.cgi fax_invoice_events.cgi fax_invoices.cgi 
	inventory_item-import.html link.cgi meta-import.cgi 
	payment.cgi print-invoice.cgi print_invoice_events.cgi 
	print_invoices.cgi queue.cgi recharge_svc.html 
	svc_acct-domains.cgi unapply-cust_credit.cgi 
	unapply-cust_pay.cgi unprovision.cgi unsusp_pkg.cgi 
	unvoid-cust_pay_void.cgi upload-batch.cgi void-cust_pay.cgi 
	whois.cgi 
Log Message:
ACLs

Index: catchall.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/catchall.cgi,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- catchall.cgi	23 Aug 2006 22:25:38 -0000	1.9
+++ catchall.cgi	13 Jan 2008 21:14:18 -0000	1.10
@@ -1,134 +1,120 @@
-<!-- mason kludge -->
-%
-%
-%my $conf = new FS::Conf;
-%
-%my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc);
-%if ( $cgi->param('error') ) {
-%  $svc_domain = new FS::svc_domain ( {
-%    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
-%  } );
-%  $svcnum = $svc_domain->svcnum;
-%  $pkgnum = $cgi->param('pkgnum');
-%  $svcpart = $cgi->param('svcpart');
-%  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%  die "No part_svc entry!" unless $part_svc;
-%} else {
-%  my($query) = $cgi->keywords;
-%  if ( $query =~ /^(\d+)$/ ) { #editing
-%    $svcnum=$1;
-%    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
-%      or die "Unknown (svc_domain) svcnum!";
-%
-%    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
-%      or die "Unknown (cust_svc) svcnum!";
-%
-%    $pkgnum=$cust_svc->pkgnum;
-%    $svcpart=$cust_svc->svcpart;
-%  
-%    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
-%    die "No part_svc entry!" unless $part_svc;
-%
-%  } else { 
-%
-%    die "Invalid (svc_domain) svcnum!";
-%
-%  }
-%}
-%
-%my %email;
-%if ($pkgnum) {
-%
-%  #find all possible user svcnums (and emails)
-%
-%  #starting with that currently attached
-%  if ($svc_domain->catchall) {
-%    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
-%    $email{$svc_domain->catchall} = $svc_acct->email;
-%  }
-%
-%  #and including the rest for this customer
-%  my($u_part_svc, at u_acct_svcparts);
-%  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
-%    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
-%  }
-%
-%  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%  my($custnum)=$cust_pkg->getfield('custnum');
-%  my($i_cust_pkg);
-%  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
-%    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
-%    my($acct_svcpart);
-%    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
-%                                              #record(s) in cust_svc ( for this
-%                                              #pkgnum ! )
-%      my($i_cust_svc);
-%      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
-%        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
-%        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email;
-%      }  
-%    }
-%  }
-%
-%} else {
-%
-%  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
-%  $email{$svc_domain->catchall} = $svc_acct->email;
-%}
-%
-%# add an absence of a catchall
-%$email{''} = "(none)";
-%
-%my $p1 = popurl(1);
-%print header("Domain Catchall Edit", '');
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print qq!<FORM ACTION="${p1}process/catchall.cgi" METHOD=POST>!;
-%
-%#display
-%
-%	#formatting
-%	print "<PRE>";
-%
-%#svcnum
-%print qq!<INPUT TYPE="hidden" NAME="svcnum" VALUE="$svcnum">!;
-%print qq!Service #<FONT SIZE=+1><B>!, $svcnum ? $svcnum : " (NEW)", "</B></FONT>";
-%
-%#pkgnum
-%print qq!<INPUT TYPE="hidden" NAME="pkgnum" VALUE="$pkgnum">!;
-% 
-%#svcpart
-%print qq!<INPUT TYPE="hidden" NAME="svcpart" VALUE="$svcpart">!;
-%
-%my($domain,$catchall)=(
-%  $svc_domain->domain,
-%  $svc_domain->catchall,
-%);
-%
-%print qq!<INPUT TYPE="hidden" NAME="domain" VALUE="$domain">!;
-%
-%#catchall
-%print qq!\n\nMail to <I>(anything)</I>@<B>$domain</B> forwards to <SELECT NAME="catchall" SIZE=1>!;
-%foreach $_ (keys %email) {
-%  print "<OPTION", $_ eq $catchall ? " SELECTED" : "",
-%        qq! VALUE="$_">$email{$_}!;
-%}
-%print "</SELECT>";
-%
-%	#formatting
-%	print "</PRE>\n";
-%
-%print qq!<CENTER><INPUT TYPE="submit" VALUE="Submit"></CENTER>!;
-%
-%print <<END;
-%
-%    </FORM>
-%  </BODY>
-%</HTML>
-%END
-%
-%
+<% include('/elements/header.html', 'Domain Catchall Edit') %>
+
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<%$p1%>process/catchall.cgi" METHOD=POST>
+
+<PRE>
+
+<INPUT TYPE="hidden" NAME="svcnum" VALUE="<% $svcnum |h %>">
+Service #<FONT SIZE=+1><B><% $svcnum ? $svcnum : ' (NEW)' |h %></B></FONT>
+
+<INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum |h %>">
+
+<INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
+
+% my $domain   = $svc_domain->domain;
+% my $catchall = $svc_domain->catchall;
+
+<INPUT TYPE="hidden" NAME="domain" VALUE="<% $domain |h %>">
+
+Mail to <I>(anything)</I>@<B><% $domain |h %></B> forwards to <SELECT NAME="catchall" SIZE=1>
+% foreach $_ (keys %email) {
+    <OPTION<% $_ eq $catchall ? ' SELECTED' : '' %> VALUE="<% $_ %>"><% $email{$_} %>
+% }
+</SELECT>
+
+</PRE>
+
+<INPUT TYPE="submit" VALUE="Submit">
+
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain catchall');
+
+my $conf = new FS::Conf;
+
+my($svc_domain, $svcnum, $pkgnum, $svcpart, $part_svc);
+if ( $cgi->param('error') ) {
+  $svc_domain = new FS::svc_domain ( {
+    map { $_, scalar($cgi->param($_)) } fields('svc_domain')
+  } );
+  $svcnum = $svc_domain->svcnum;
+  $pkgnum = $cgi->param('pkgnum');
+  $svcpart = $cgi->param('svcpart');
+  $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+  die "No part_svc entry!" unless $part_svc;
+} else {
+  my($query) = $cgi->keywords;
+  if ( $query =~ /^(\d+)$/ ) { #editing
+    $svcnum=$1;
+    $svc_domain=qsearchs('svc_domain',{'svcnum'=>$svcnum})
+      or die "Unknown (svc_domain) svcnum!";
+
+    my($cust_svc)=qsearchs('cust_svc',{'svcnum'=>$svcnum})
+      or die "Unknown (cust_svc) svcnum!";
+
+    $pkgnum=$cust_svc->pkgnum;
+    $svcpart=$cust_svc->svcpart;
+  
+    $part_svc=qsearchs('part_svc',{'svcpart'=>$svcpart});
+    die "No part_svc entry!" unless $part_svc;
+
+  } else { 
+
+    die "Invalid (svc_domain) svcnum!";
+
+  }
+}
+
+my %email;
+if ($pkgnum) {
+
+  #find all possible user svcnums (and emails)
+
+  #starting with that currently attached
+  if ($svc_domain->catchall) {
+    my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
+    $email{$svc_domain->catchall} = $svc_acct->email;
+  }
 
+  #and including the rest for this customer
+  my($u_part_svc, at u_acct_svcparts);
+  foreach $u_part_svc ( qsearch('part_svc',{'svcdb'=>'svc_acct'}) ) {
+    push @u_acct_svcparts,$u_part_svc->getfield('svcpart');
+  }
+
+  my($cust_pkg)=qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+  my($custnum)=$cust_pkg->getfield('custnum');
+  my($i_cust_pkg);
+  foreach $i_cust_pkg ( qsearch('cust_pkg',{'custnum'=>$custnum}) ) {
+    my($cust_pkgnum)=$i_cust_pkg->getfield('pkgnum');
+    my($acct_svcpart);
+    foreach $acct_svcpart (@u_acct_svcparts) {   #now find the corresponding 
+                                              #record(s) in cust_svc ( for this
+                                              #pkgnum ! )
+      my($i_cust_svc);
+      foreach $i_cust_svc ( qsearch('cust_svc',{'pkgnum'=>$cust_pkgnum,'svcpart'=>$acct_svcpart}) ) {
+        my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$i_cust_svc->getfield('svcnum')});
+        $email{$svc_acct->getfield('svcnum')}=$svc_acct->email;
+      }  
+    }
+  }
+
+} else {
+
+  my($svc_acct)=qsearchs('svc_acct',{'svcnum'=>$svc_domain->catchall});
+  $email{$svc_domain->catchall} = $svc_acct->email;
+}
+
+# add an absence of a catchall
+$email{''} = "(none)";
+
+my $p1 = popurl(1);
+
+</%init>

Index: unapply-cust_pay.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/unapply-cust_pay.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- unapply-cust_pay.cgi	8 Oct 2007 19:14:27 -0000	1.4
+++ unapply-cust_pay.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,19 +1,20 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } );
-%my $custnum = $cust_pay->custnum;
-%
-%foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) {
-%  my $error = $cust_bill_pay->delete;
-%  errorpage($error) if $error;
-%}
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unapply payment');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
 
+my $cust_pay = qsearchs('cust_pay', { 'paynum' => $paynum } );
+my $custnum = $cust_pay->custnum;
+
+foreach my $cust_bill_pay ( $cust_pay->cust_bill_pay ) {
+  my $error = $cust_bill_pay->delete;
+  errorpage($error) if $error;
+}
+
+</%init>

Index: link.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/link.cgi,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- link.cgi	29 Dec 2006 08:51:33 -0000	1.12
+++ link.cgi	13 Jan 2008 21:14:19 -0000	1.13
@@ -1,31 +1,5 @@
-%my %link_field = (
-%  'svc_acct'    => 'username',
-%  'svc_domain'  => 'domain',
-%);
-%
-%my %link_field2 = (
-%  'svc_acct'    => { label => 'Domain',
-%                     field => 'domsvc',
-%                     type  => 'select',
-%                     select_table => 'svc_domain',
-%                     select_key   => 'svcnum',
-%                     select_label => 'domain'
-%                   },
-%);
-%
-%$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
-%my $pkgnum = $1;
-%$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
-%my $svcpart = $1;
-%
-%my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
-%my $svc = $part_svc->getfield('svc');
-%my $svcdb = $part_svc->getfield('svcdb');
-%my $link_field = $link_field{$svcdb};
-%my $link_field2 = $link_field2{$svcdb};
-%
-
 <% include("/elements/header.html","Link to existing $svc") %>
+
 <FORM ACTION="<% popurl(1) %>process/link.cgi" METHOD=POST>
 % if ( $link_field ) { 
 
@@ -72,6 +46,39 @@
 <INPUT TYPE="hidden" NAME="pkgnum" VALUE="<% $pkgnum %>">
 <INPUT TYPE="hidden" NAME="svcpart" VALUE="<% $svcpart %>">
 <BR><INPUT TYPE="submit" VALUE="Link">
-    </FORM>
-  </BODY>
-</HTML>
+</FORM>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services');
+
+my %link_field = (
+  'svc_acct'    => 'username',
+  'svc_domain'  => 'domain',
+);
+
+my %link_field2 = (
+  'svc_acct'    => { label => 'Domain',
+                     field => 'domsvc',
+                     type  => 'select',
+                     select_table => 'svc_domain',
+                     select_key   => 'svcnum',
+                     select_label => 'domain'
+                   },
+);
+
+$cgi->param('pkgnum') =~ /^(\d+)$/ or die 'unparsable pkgnum';
+my $pkgnum = $1;
+$cgi->param('svcpart') =~ /^(\d+)$/ or die 'unparsable svcpart';
+my $svcpart = $1;
+
+my $part_svc = qsearchs('part_svc',{'svcpart'=>$svcpart});
+my $svc = $part_svc->getfield('svc');
+my $svcdb = $part_svc->getfield('svcdb');
+my $link_field = $link_field{$svcdb};
+my $link_field2 = $link_field2{$svcdb};
+
+</%init>

Index: email_invoice_events.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/email_invoice_events.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- email_invoice_events.cgi	23 Aug 2006 22:25:38 -0000	1.4
+++ email_invoice_events.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reemail', $cgi;
+
+</%init>

Index: bill.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/bill.cgi,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- bill.cgi	8 Oct 2007 19:14:26 -0000	1.14
+++ bill.cgi	13 Jan 2008 21:14:18 -0000	1.15
@@ -1,45 +1,45 @@
-%
-%#untaint custnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d*)$/;
-%my $custnum = $1;
-%my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum});
-%die "Can't find customer!\n" unless $cust_main;
-%
-%my $conf = new FS::Conf;
-%
-%my $error = $cust_main->bill(
-%#                          'time'=>$time
-%                         );
-%
-%unless ( $error ) {
-%  $error = $cust_main->apply_payments_and_credits
-%           || $cust_main->collect(
-%                                  #'invoice-time'=>$time,
-%                                  #'batch_card'=> 'yes',
-%                                  #'batch_card'=> 'no',
-%                                  #'report_badcard'=> 'yes',
-%                                  #'retry_card' => 'yes',
-%
-%                                  'retry' => 'yes',
-%                                   
-%                                  #this is used only by cust_main::batch_card
-%                                  #need to pick & create an actual config
-%                                  #value if we're going to turn this on
-%                                  #("realtime-backend" doesn't exist,
-%                                  # "backend-realtime" is for something
-%                                  #  entirely different)
-%                                  #'realtime' => $conf->exists('realtime-backend'),
-%                                 );
-%}
-%
 %if ( $error ) {
-%
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(2). "view/cust_main.cgi?$custnum") %>
 %}
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Bill customer now');
+
+#untaint custnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d*)$/;
+my $custnum = $1;
+my $cust_main = qsearchs('cust_main',{'custnum'=>$custnum});
+die "Can't find customer!\n" unless $cust_main;
+
+my $conf = new FS::Conf;
+
+my $error = $cust_main->bill(
+#                          'time'=>$time
+                         );
+
+unless ( $error ) {
+  $error = $cust_main->apply_payments_and_credits
+           || $cust_main->collect(
+                                  #'invoice-time'=>$time,
+                                  #'batch_card'=> 'yes',
+                                  #'batch_card'=> 'no',
+                                  #'report_badcard'=> 'yes',
+                                  #'retry_card' => 'yes',
+
+                                  'retry' => 'yes',
+                                   
+                                  #this is used only by cust_main::batch_card
+                                  #need to pick & create an actual config
+                                  #value if we're going to turn this on
+                                  #("realtime-backend" doesn't exist,
+                                  # "backend-realtime" is for something
+                                  #  entirely different)
+                                  #'realtime' => $conf->exists('realtime-backend'),
+                                 );
+}
+
+</%init>

Index: unapply-cust_credit.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/unapply-cust_credit.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- unapply-cust_credit.cgi	8 Oct 2007 19:14:27 -0000	1.3
+++ unapply-cust_credit.cgi	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,19 +1,20 @@
-%
-%
-%#untaint crednum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal crednum";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } );
-%my $custnum = $cust_credit->custnum;
-%
-%foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) {
-%  my $error = $cust_credit_bill->delete;
-%  errorpage($error) if $error;
-%}
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unapply credit');
+
+#untaint crednum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal crednum";
+my $crednum = $1;
 
+my $cust_credit = qsearchs('cust_credit', { 'crednum' => $crednum } );
+my $custnum = $cust_credit->custnum;
+
+foreach my $cust_credit_bill ( $cust_credit->cust_credit_bill ) {
+  my $error = $cust_credit_bill->delete;
+  errorpage($error) if $error;
+}
+
+</%init>

Index: print_invoice_events.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/print_invoice_events.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- print_invoice_events.cgi	23 Aug 2006 22:25:38 -0000	1.4
+++ print_invoice_events.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi; 
-
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_reprint', $cgi; 
+
+</%init>

Index: dump.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/dump.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- dump.cgi	8 Oct 2007 19:14:27 -0000	1.4
+++ dump.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,3 +1,5 @@
+%  die "access denied"
+%    unless $FS::CurrentUser::CurrentUser->access_right('Export');
 %
 %  if ( driver_name =~ /^Pg$/ ) {
 %    my $dbname = (split(':', datasrc))[2];
@@ -16,5 +18,3 @@
 %    print $_;
 %  }
 %  close DUMP;
-%
-

Index: email_invoices.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/email_invoices.cgi,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- email_invoices.cgi	23 Aug 2006 22:25:38 -0000	1.5
+++ email_invoices.cgi	13 Jan 2008 21:14:19 -0000	1.6
@@ -1,4 +1,9 @@
-%
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reemail', $cgi;
+
+</%init>

Index: cancel-unaudited.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cancel-unaudited.cgi,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- cancel-unaudited.cgi	8 Oct 2007 19:14:26 -0000	1.12
+++ cancel-unaudited.cgi	13 Jan 2008 21:14:18 -0000	1.13
@@ -1,36 +1,33 @@
-%
-%
-%my $dbh = dbh;
-% 
-%#untaint svcnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/;
-%my $svcnum = $1;
-%
-%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
-%#die "Unknown svcnum!" unless $svc_acct;
-%
-%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
-%die "Unknown svcnum!" unless $cust_svc;
-%my $cust_pkg = $cust_svc->cust_pkg;
-%if ( $cust_pkg ) {
-%  errorpage( 'This account has already been audited.  Cancel the '.
-%           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum.
-%           '#cust_pkg'. $cust_pkg->pkgnum. '">'.
-%           'package</A> instead.');
-%}
-%
-%my $error = $cust_svc->cancel;
-%
 %if ( $error ) {
-%  
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2));
+<% $cgi->redirect(popurl(2)) %>
 %}
-%
-%
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service')
+      && $FS::CurrentUser::CurrentUser->access_right('View/link unlinked services');
+
+#untaint svcnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/;
+my $svcnum = $1;
+
+#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
+#die "Unknown svcnum!" unless $svc_acct;
+
+my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
+die "Unknown svcnum!" unless $cust_svc;
+my $cust_pkg = $cust_svc->cust_pkg;
+if ( $cust_pkg ) {
+  errorpage( 'This account has already been audited.  Cancel the '.
+           qq!<A HREF="${p}view/cust_main.cgi?!. $cust_pkg->custnum.
+           '#cust_pkg'. $cust_pkg->pkgnum. '">'.
+           'package</A> instead.');
+}
+
+my $error = $cust_svc->cancel;
+
+</%init>

Index: print_invoices.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/print_invoices.cgi,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- print_invoices.cgi	23 Aug 2006 22:25:38 -0000	1.5
+++ print_invoices.cgi	13 Jan 2008 21:14:19 -0000	1.6
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_reprint', $cgi;
+
+</%init>

Index: fax_invoice_events.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/fax_invoice_events.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- fax_invoice_events.cgi	23 Aug 2006 22:25:38 -0000	1.4
+++ fax_invoice_events.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill_event::process_refax', $cgi;
+
+</%init>

Index: meta-import.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/meta-import.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- meta-import.cgi	23 Aug 2006 22:25:38 -0000	1.4
+++ meta-import.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,5 +1,5 @@
-<!-- mason kludge -->
-<% include("/elements/header.html",'Import') %>
+<% include('/elements/header.html', 'Import') %>
+
 <FORM ACTION="process/meta-import.cgi" METHOD="post" ENCTYPE="multipart/form-data">
 Import data from a DBI data source<BR><BR>
 %
@@ -68,6 +68,12 @@
   <INPUT TYPE="submit" VALUE="Import">
 
   </FORM>
-  </BODY>
-<HTML>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+#there's no ACL for this...  haven't used in ages
+die 'meta-import not enabled; remove this if you want to use it';
+
+</%init>

Index: upload-batch.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/upload-batch.cgi,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- upload-batch.cgi	8 Oct 2007 19:14:27 -0000	1.12
+++ upload-batch.cgi	13 Jan 2008 21:14:19 -0000	1.13
@@ -1,17 +1,14 @@
-%  if ( $error ) {
-
-    <!-- mason kludge -->
-
-%    errorpage($error);
-%#    $cgi->param('error', $error);
-%#    print $cgi->redirect( "${p}cust_main-import.cgi
-%  } else {
-
-    <% include("/elements/header.html",'Batch results upload successful') %> 
-
-%  }
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+    <% include('/elements/header.html','Batch results upload successful') %> 
+    <% include('/elements/footer.html') %> 
+% }
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Process batches');
+
 my $error;
 
 my $fh = $cgi->upload('batch_results');

Index: cdr-import.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cdr-import.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- cdr-import.html	23 Aug 2006 22:25:38 -0000	1.3
+++ cdr-import.html	13 Jan 2008 21:14:18 -0000	1.4
@@ -14,3 +14,9 @@
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+</%init>

Index: cust_main-import_charges.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cust_main-import_charges.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- cust_main-import_charges.cgi	23 Aug 2006 22:25:38 -0000	1.3
+++ cust_main-import_charges.cgi	13 Jan 2008 21:14:18 -0000	1.4
@@ -1,14 +1,22 @@
-<!-- mason kludge -->
-<% include("/elements/header.html",'Batch Customer Charge') %>
+<% include('/elements/header.html', 'Batch Customer Charge') %>
+
 <FORM ACTION="process/cust_main-import_charges.cgi" METHOD="post" ENCTYPE="multipart/form-data">
+
 Import a CSV file containing customer charges.<BR><BR>
 Default file format is CSV, with the following field order: <i>custnum, amount, description</i><BR><BR>
 If <i>amount</i> is negative, a credit will be applied instead.<BR><BR>
 <BR><BR>
 
-    CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>
-    <INPUT TYPE="submit" VALUE="Import">
-    </FORM>
-  </BODY>
-<HTML>
+CSV Filename: <INPUT TYPE="file" NAME="csvfile"><BR><BR>
+<INPUT TYPE="submit" VALUE="Import">
+
+</FORM>
 
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+</%init>

Index: delete-cust_credit.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-cust_credit.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- delete-cust_credit.cgi	8 Oct 2007 19:14:27 -0000	1.3
+++ delete-cust_credit.cgi	13 Jan 2008 21:14:18 -0000	1.4
@@ -1,17 +1,21 @@
-%
-%
-%#untaint crednum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal crednum";
-%my $crednum = $1;
-%
-%my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum});
-%my $custnum = $cust_credit->custnum;
-%
-%my $error = $cust_credit->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete credit');
+
+#untaint crednum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal crednum";
+my $crednum = $1;
 
+my $cust_credit = qsearchs('cust_credit',{'crednum'=>$crednum});
+my $custnum = $cust_credit->custnum;
+
+my $error = $cust_credit->delete;
+
+</%init>

Index: delete-cust_refund.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-cust_refund.cgi,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- delete-cust_refund.cgi	8 Oct 2007 19:14:27 -0000	1.2
+++ delete-cust_refund.cgi	13 Jan 2008 21:14:18 -0000	1.3
@@ -1,17 +1,21 @@
-%
-%
-%#untaint refundnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal refundnum";
-%my $refundnum = $1;
-%
-%my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum});
-%my $custnum = $cust_refund->custnum;
-%
-%my $error = $cust_refund->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete refund');
+
+#untaint refundnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal refundnum";
+my $refundnum = $1;
 
+my $cust_refund = qsearchs('cust_refund',{'refundnum'=>$refundnum});
+my $custnum = $cust_refund->custnum;
+
+my $error = $cust_refund->delete;
+
+</%init>

Index: fax_invoices.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/fax_invoices.cgi,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- fax_invoices.cgi	23 Aug 2006 22:25:38 -0000	1.5
+++ fax_invoices.cgi	13 Jan 2008 21:14:19 -0000	1.6
@@ -1,4 +1,9 @@
-% 
-%my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi;
-%
 <% $server->process %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+my $server = new FS::UI::Web::JSRPC 'FS::cust_bill::process_refax', $cgi;
+
+</%init>

Index: cust_main-cancel.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cust_main-cancel.cgi,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- cust_main-cancel.cgi	19 Dec 2007 22:25:56 -0000	1.6
+++ cust_main-cancel.cgi	13 Jan 2008 21:14:18 -0000	1.7
@@ -6,6 +6,9 @@
 </HTML>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Cancel customer');
+
 my $custnum;
 my $ban = '';
 if ( $cgi->param('custnum') =~ /^(\d+)$/ ) {

Index: svc_acct-domains.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/svc_acct-domains.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- svc_acct-domains.cgi	28 Feb 2007 19:14:42 -0000	1.3
+++ svc_acct-domains.cgi	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,31 +1,31 @@
-%
-%
-%  my $pkgpart_svcpart = $cgi->param('arg');
-%  $pkgpart_svcpart =~ /^\d+_(\d+)$/;
-%  my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1;
-%  my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc;
-%
-%  my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column;
-%  my $columnflag = $part_svc_column->columnflag if $part_svc_column;
-%  my @svc_domain = ();
-%  my %seen = ();
-%  
-%  foreach (@output) {
-%    my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ })
-%      or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ".
-%         "svcpart = " . $part_svc->svcpart;
-%    push @svc_domain, [ $_ => $svc_domain->domain ];
-%    $seen{$_}++;
-%  }
-%  if ($conf->exists('svc_acct-alldomains')
-%       && ( $columnflag eq 'D' || $columnflag eq '' )
-%     ) {
-%    foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){
-%      push @svc_domain, [ $_->svcnum => $_->domain ];
-%    }
-%  }
-%
 [ <% join(', ', map { qq("$_->[0]", "$_->[1]") } @svc_domain) %> ]
 <%init>
+
 my $conf = new FS::Conf;
+
+my $pkgpart_svcpart = $cgi->param('arg');
+$pkgpart_svcpart =~ /^\d+_(\d+)$/;
+my $part_svc = qsearchs('part_svc', { 'svcpart' => $1 }) if $1;
+my $part_svc_column = $part_svc->part_svc_column('domsvc') if $part_svc;
+
+my @output = split /,/, $part_svc_column->columnvalue if $part_svc_column;
+my $columnflag = $part_svc_column->columnflag if $part_svc_column;
+my @svc_domain = ();
+my %seen = ();
+
+foreach (@output) {
+  my $svc_domain = qsearchs('svc_domain', { 'svcnum' => $_ })
+    or warn "unknown svc_domain.svcnum $_ for part_svc_column domsvc; ".
+       "svcpart = " . $part_svc->svcpart;
+  push @svc_domain, [ $_ => $svc_domain->domain ];
+  $seen{$_}++;
+}
+if ($conf->exists('svc_acct-alldomains')
+     && ( $columnflag eq 'D' || $columnflag eq '' )
+   ) {
+  foreach (grep { $_->svcnum ne $output[0] } qsearch('svc_domain', {}) ){
+    push @svc_domain, [ $_->svcnum => $_->domain ];
+  }
+}
+
 </%init>

Index: batch-cust_pay.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/batch-cust_pay.html,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -d -r1.9 -r1.10
--- batch-cust_pay.html	25 Dec 2007 23:49:22 -0000	1.9
+++ batch-cust_pay.html	13 Jan 2008 21:14:18 -0000	1.10
@@ -1,7 +1,4 @@
-<% include("/elements/header.html", 'Quick payment entry',
-            menubar( 'Main Menu' => $p ),
-          )
-%>
+<% include('/elements/header.html', 'Quick payment entry') %>
 
 <% include('/elements/error.html') %>
 
@@ -24,5 +21,12 @@
 <INPUT TYPE="submit" NAME="submit" VALUE="Post payment batch">
 
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Post payment batch');
+
+</%init>

Index: queue.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/queue.cgi,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- queue.cgi	23 Aug 2006 22:25:38 -0000	1.5
+++ queue.cgi	13 Jan 2008 21:14:19 -0000	1.6
@@ -1,48 +1,49 @@
-%
-%
-%$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/
-%  or die "Illegal action";
-%my $action = $1;
-%
-%my $job;
-%if ( $action eq 'new' || $action eq 'del' ) {
-%  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum";
-%  my $jobnum = $1;
-%  $job = qsearchs('queue', { 'jobnum' => $1 })
-%    or die "unknown jobnum $jobnum - ".
-%           "it probably completed normally or was removed by another user";
-%}
-%
-%if ( $action eq 'new' ) {
-%  my %hash = $job->hash;
-%  $hash{'status'} = 'new';
-%  $hash{'statustext'} = '';
-%  my $new = new FS::queue \%hash;
-%  my $error = $new->replace($job);
-%  die $error if $error;
-%} elsif ( $action eq 'del' ) {
-%  my $error = $job->delete;
-%  die $error if $error;
-%} elsif ( $action =~ /^(retry|remove) selected$/ ) {
-%  foreach my $jobnum (
-%    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param
-%  ) {
-%    my $job = qsearchs('queue', { 'jobnum' => $jobnum });
-%    if ( $action eq 'retry selected' && $job ) { #new
-%      my %hash = $job->hash;
-%      $hash{'status'} = 'new';
-%      $hash{'statustext'} = '';
-%      my $new = new FS::queue \%hash;
-%      my $error = $new->replace($job);
-%      die $error if $error;
-%    } elsif ( $action eq 'remove selected' && $job ) { #del
-%      my $error = $job->delete;
-%      die $error if $error;
-%    }
-%  }
-%}
-%
-%print $cgi->redirect(popurl(2). "search/queue.html");
-%
-%
+<% $cgi->redirect(popurl(2). "search/queue.html") %>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Job queue');
+
+$cgi->param('action') =~ /^(new|del|(retry|remove) selected)$/
+  or die "Illegal action";
+my $action = $1;
+
+my $job;
+if ( $action eq 'new' || $action eq 'del' ) {
+  $cgi->param('jobnum') =~ /^(\d+)$/ or die "Illegal jobnum";
+  my $jobnum = $1;
+  $job = qsearchs('queue', { 'jobnum' => $1 })
+    or die "unknown jobnum $jobnum - ".
+           "it probably completed normally or was removed by another user";
+}
 
+if ( $action eq 'new' ) {
+  my %hash = $job->hash;
+  $hash{'status'} = 'new';
+  $hash{'statustext'} = '';
+  my $new = new FS::queue \%hash;
+  my $error = $new->replace($job);
+  die $error if $error;
+} elsif ( $action eq 'del' ) {
+  my $error = $job->delete;
+  die $error if $error;
+} elsif ( $action =~ /^(retry|remove) selected$/ ) {
+  foreach my $jobnum (
+    map { /^jobnum(\d+)$/; $1; } grep /^jobnum\d+$/, $cgi->param
+  ) {
+    my $job = qsearchs('queue', { 'jobnum' => $jobnum });
+    if ( $action eq 'retry selected' && $job ) { #new
+      my %hash = $job->hash;
+      $hash{'status'} = 'new';
+      $hash{'statustext'} = '';
+      my $new = new FS::queue \%hash;
+      my $error = $new->replace($job);
+      die $error if $error;
+    } elsif ( $action eq 'remove selected' && $job ) { #del
+      my $error = $job->delete;
+      die $error if $error;
+    }
+  }
+}
+
+</%init>

Index: unvoid-cust_pay_void.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/unvoid-cust_pay_void.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- unvoid-cust_pay_void.cgi	8 Oct 2007 19:14:27 -0000	1.3
+++ unvoid-cust_pay_void.cgi	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,17 +1,21 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } );
-%my $custnum = $cust_pay_void->custnum;
-%
-%my $error = $cust_pay_void->unvoid;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+%}
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unvoid');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
 
+my $cust_pay_void = qsearchs('cust_pay_void', { 'paynum' => $paynum } );
+my $custnum = $cust_pay_void->custnum;
+
+my $error = $cust_pay_void->unvoid;
+
+</%init>

Index: recharge_svc.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/recharge_svc.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- recharge_svc.html	25 Dec 2007 23:49:22 -0000	1.4
+++ recharge_svc.html	13 Jan 2008 21:14:19 -0000	1.5
@@ -28,7 +28,7 @@
 </TR>
 <TR>
   <TD>Enter prepaid card: </TD>
-  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD>
+  <TD><INPUT TYPE="text" NAME="prepaid" VALUE="<% $prepaid |h %>" <% $payby eq "PREP" ? '' : 'disabled' %>></TD>
 </TR>
 
 </TABLE>
@@ -37,35 +37,42 @@
 <INPUT TYPE="submit" NAME="submit" VALUE="Recharge">
 
 </FORM>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html');
 
 <%once>
+
 my $conf = new FS::Conf;
 my $money_char = $conf->config('money_char') || '$';
+
 </%once>
 <%init>
-my($svcnum, $cust_svc, $part_pkg, $label, $value, $prepaid, $amount, $payby); 
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Recharge customer service');
+
+my($svcnum, $prepaid, $payby); 
 if ( $cgi->param('error') ) {
   $svcnum        = $cgi->param('svcnum');
   $prepaid       = $cgi->param('prepaid');
   $payby         = $cgi->param('payby');
 } elsif ( $cgi->param('svcnum') =~ /^(\d+)$/ ) {
   $svcnum  = $1;
+  $prepaid = '';
 } else {
   die "illegal query ". $cgi->keywords;
 }
 
 my $title = 'Recharge Service';
 
-$cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum});
+my $cust_svc = qsearchs('cust_svc', {'svcnum' => $svcnum});
 die "No such service: $svcnum" unless $cust_svc;
 
-($label, $value) = $cust_svc->label;
+my($label, $value) = $cust_svc->label;
 
 $payby = $cust_svc->cust_pkg->cust_main->payby unless $payby;
-$part_pkg = $cust_svc->cust_pkg->part_pkg;
-$amount = $part_pkg->option('recharge_amount', 1) || 0;
+my $part_pkg = $cust_svc->cust_pkg->part_pkg;
+my $amount = $part_pkg->option('recharge_amount', 1) || 0;
 
 my $recharge_label = "Charge $money_char$amount for ";
 

Index: void-cust_pay.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/void-cust_pay.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- void-cust_pay.cgi	8 Oct 2007 19:14:27 -0000	1.3
+++ void-cust_pay.cgi	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,17 +1,26 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
-%my $custnum = $cust_pay->custnum;
-%
-%my $error = $cust_pay->void;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+%}
+<%init>
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
+
+my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
+
+my $right = 'Regular void';
+$right = 'Credit card void' if $cust_pay->payby eq 'CARD';
+$right = 'Echeck void'      if $cust_pay->payby eq 'CHEK';
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right($right);
 
+my $custnum = $cust_pay->custnum;
+
+my $error = $cust_pay->void;
+
+</%init>

Index: unsusp_pkg.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/unsusp_pkg.cgi,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- unsusp_pkg.cgi	8 Oct 2007 19:14:27 -0000	1.6
+++ unsusp_pkg.cgi	13 Jan 2008 21:14:19 -0000	1.7
@@ -1,16 +1,20 @@
-%
-%
-%#untaint pkgnum
-%my ($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal pkgnum";
-%my $pkgnum = $1;
-%
-%my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
-%
-%my $error = $cust_pkg->unsuspend;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum'));
-%
-%
+%if ( $error ) {
+%  errorpage($error);
+%} else {
+<% $cgi->redirect(popurl(2). "view/cust_main.cgi?".$cust_pkg->getfield('custnum')) %>
+%}
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unsuspend customer package');
+
+#untaint pkgnum
+my ($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal pkgnum";
+my $pkgnum = $1;
+
+my $cust_pkg = qsearchs('cust_pkg',{'pkgnum'=>$pkgnum});
+
+my $error = $cust_pkg->unsuspend;
+
+</%init>

Index: delete-cust_pay.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-cust_pay.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- delete-cust_pay.cgi	8 Oct 2007 19:14:27 -0000	1.4
+++ delete-cust_pay.cgi	13 Jan 2008 21:14:18 -0000	1.5
@@ -1,17 +1,21 @@
-%
-%
-%#untaint paynum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal paynum";
-%my $paynum = $1;
-%
-%my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
-%my $custnum = $cust_pay->custnum;
-%
-%my $error = $cust_pay->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/cust_main.cgi?". $custnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/cust_main.cgi?". $custnum) %>
+% }
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete payment');
+
+#untaint paynum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal paynum";
+my $paynum = $1;
 
+my $cust_pay = qsearchs('cust_pay',{'paynum'=>$paynum});
+my $custnum = $cust_pay->custnum;
+
+my $error = $cust_pay->delete;
+
+</%init>

Index: delete-part_export.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-part_export.cgi,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- delete-part_export.cgi	8 Oct 2007 19:14:27 -0000	1.5
+++ delete-part_export.cgi	13 Jan 2008 21:14:18 -0000	1.6
@@ -1,16 +1,20 @@
-%
-%
-%#untaint exportnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal exportnum";
-%my $exportnum = $1;
-%
-%my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum});
-%
-%my $error = $part_export->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "browse/part_export.cgi");
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "browse/part_export.cgi") %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Configuration');
+
+#untaint exportnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal exportnum";
+my $exportnum = $1;
+
+my $part_export = qsearchs('part_export',{'exportnum'=>$exportnum});
+
+my $error = $part_export->delete;
+
+</%init>

Index: fax-invoice.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/fax-invoice.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- fax-invoice.cgi	23 Aug 2006 22:25:38 -0000	1.4
+++ fax-invoice.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->fax($template);
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->fax($template);
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

Index: inventory_item-import.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/inventory_item-import.html,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- inventory_item-import.html	8 Oct 2007 19:14:27 -0000	1.3
+++ inventory_item-import.html	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,11 +1,3 @@
-%
-%
-%my $classnum = $cgi->param('classnum');
-%$classnum =~ /^(\d+)$/ or errorpage("illegal classnum $classnum");
-%$classnum = $1;
-%my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
-%
-%
 <% include("/elements/header.html", $inventory_class->classname. 's') %>
 
 <FORM ACTION="process/inventory_item-import.html" METHOD="POST" ENCTYPE="multipart/form-data">
@@ -19,3 +11,13 @@
 
 <% include('/elements/footer.html') %>
 
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+$cgi->param =~ /^(\d+)$/ or errorpage("illegal classnum $classnum");
+my $classnum = $1;
+my $inventory_class = qsearchs('inventory_class', { 'classnum' => $classnum } );
+
+</%init>

Index: delete-customer.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-customer.cgi,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- delete-customer.cgi	23 Aug 2006 22:25:38 -0000	1.11
+++ delete-customer.cgi	13 Jan 2008 21:14:18 -0000	1.12
@@ -1,48 +1,26 @@
-<!-- mason kludge -->
-%
-%
-%my $conf = new FS::Conf;
-%die "Customer deletions not enabled" unless $conf->exists('deletecustomers');
-%
-%my($custnum, $new_custnum);
-%if ( $cgi->param('error') ) {
-%  $custnum = $cgi->param('custnum');
-%  $new_custnum = $cgi->param('new_custnum');
-%} else {
-%  my($query) = $cgi->keywords;
-%  $query =~ /^(\d+)$/ or die "Illegal query: $query";
-%  $custnum = $1;
-%  $new_custnum = '';
-%}
-%my $cust_main = qsearchs( 'cust_main', { 'custnum' => $custnum } )
-%  or die "Customer not found: $custnum";
-%
-%print header('Delete customer');
-%
-%print qq!<FONT SIZE="+1" COLOR="#ff0000">Error: !, $cgi->param('error'),
-%      "</FONT>"
-%  if $cgi->param('error');
-%
-%print 
-%  qq!<form action="!, popurl(1), qq!process/delete-customer.cgi" method=post>!,
-%  qq!<input type="hidden" name="custnum" value="$custnum">!;
-%
+<% include('/elements/header.html', 'Delete customer') %>
+
+<% include('/elements/error.html') %>
+
+<FORM ACTION="<% popurl(1) %>process/delete-customer.cgi" METHOD=POST>
+<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum |h %>">
+
 %if ( qsearch('cust_pkg', { 'custnum' => $custnum, 'cancel' => '' } ) ) {
-%  print "Move uncancelled packages to customer number ",
-%        qq!<input type="text" name="new_custnum" value="$new_custnum"><br><br>!;
+  Move uncancelled packages to customer number 
+  <INPUT TYPE="text" NAME="new_custnum" VALUE="<% $new_custnum |h %>"><BR><BR>
 %}
-%
-%print <<END;
-%This will <b>completely remove</b> all traces of this customer record.  This
-%is <B>not</B> what you want if this is a real customer who has simply
-%canceled service with you.  For that, cancel all of the customer's packages.
-%(you can optionally hide cancelled customers with the <a href="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</a> configuration option)
-%<br>
-%<br>Are you <b>absolutely sure</b> you want to delete this customer?
-%<br><input type="submit" value="Yes">
-%</form></body></html>
-%END
-%
+
+This will <B>completely remove</B> all traces of this customer record.  This
+is <B>not</B> what you want if this is a real customer who has simply
+canceled service with you.  For that, cancel all of the customer's packages.
+(you can optionally hide cancelled customers with the <A HREF="../config/config-view.cgi#hidecancelledcustomers">hidecancelledcustomers</A> configuration option)
+<BR>
+<BR>Are you <B>absolutely sure</B> you want to delete this customer?
+<BR><INPUT TYPE="submit" VALUE="Yes">
+</FORM>
+
+<% include('/elements/footer.html') %>
+
 %#Deleting a customer you have financial records on (i.e. credits) is
 %#typically considered fraudulant bookkeeping.  Remember, deleting   
 %#customers should ONLY be used for completely bogus records.  You should
@@ -56,6 +34,31 @@
 %#Also see the "hidecancelledcustomers" and "hidecancelledpackages"
 %#configuration options, which will allow you to surpress the display of
 %#cancelled customers and packages, respectively.
-%
-%
 
+<%init>
+
+my $conf = new FS::Conf;
+die "Customer deletions not enabled in configuration"
+  unless $conf->exists('deletecustomers');
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Delete customer');
+
+my($custnum, $new_custnum);
+if ( $cgi->param('error') ) {
+  $custnum = $cgi->param('custnum');
+  $new_custnum = $cgi->param('new_custnum');
+} else {
+  my($query) = $cgi->keywords;
+  $query =~ /^(\d+)$/ or die "Illegal query: $query";
+  $custnum = $1;
+  $new_custnum = '';
+}
+my $cust_main = qsearchs( {
+  'table'     => 'cust_main',
+  'hashref'   => { 'custnum' => $custnum },
+  'extra_sql' => ' AND '. $FS::CurrentUser::CurrentUser->agentnums_sql,
+} )
+  or die 'Unknown custnum';
+
+<%/init>

Index: delete-domain_record.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/delete-domain_record.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- delete-domain_record.cgi	8 Oct 2007 19:14:27 -0000	1.3
+++ delete-domain_record.cgi	13 Jan 2008 21:14:18 -0000	1.4
@@ -1,16 +1,20 @@
-%
-%
-%#untaint recnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/ || die "Illegal recnum";
-%my $recnum = $1;
-%
-%my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum});
-%
-%my $error = $domain_record->delete;
-%errorpage($error) if $error;
-%
-%print $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum);
-%
-%
+% if ( $error ) {
+%   errorpage($error);
+% } else {
+<% $cgi->redirect($p. "view/svc_domain.cgi?". $domain_record->svcnum) %>
+% }
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Edit domain nameservice');
+
+#untaint recnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/ || die "Illegal recnum";
+my $recnum = $1;
+
+my $domain_record = qsearchs('domain_record',{'recnum'=>$recnum});
+
+my $error = $domain_record->delete;
+
+</%init>

Index: unprovision.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/unprovision.cgi,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- unprovision.cgi	8 Oct 2007 19:14:27 -0000	1.4
+++ unprovision.cgi	13 Jan 2008 21:14:19 -0000	1.5
@@ -1,31 +1,26 @@
-%
-%
-%my $dbh = dbh;
-% 
-%#untaint svcnum
-%my($query) = $cgi->keywords;
-%$query =~ /^(\d+)$/;
-%my $svcnum = $1;
-%
-%#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
-%#die "Unknown svcnum!" unless $svc_acct;
-%
-%my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
-%die "Unknown svcnum!" unless $cust_svc;
-%
-%my $custnum = $cust_svc->cust_pkg->custnum;
-%
-%my $error = $cust_svc->cancel;
-%
 %if ( $error ) {
-%  
-
-<!-- mason kludge -->
-%
 %  errorpage($error);
 %} else {
-%  print $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum");
+<% $cgi->redirect(popurl(2)."view/cust_main.cgi?$custnum") %>
 %}
-%
-%
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Unprovision customer service');
+
+#untaint svcnum
+my($query) = $cgi->keywords;
+$query =~ /^(\d+)$/;
+my $svcnum = $1;
 
+#my $svc_acct = qsearchs('svc_acct',{'svcnum'=>$svcnum});
+#die "Unknown svcnum!" unless $svc_acct;
+
+my $cust_svc = qsearchs('cust_svc',{'svcnum'=>$svcnum});
+die "Unknown svcnum!" unless $cust_svc;
+
+my $custnum = $cust_svc->cust_pkg->custnum;
+
+my $error = $cust_svc->cancel;
+
+</%init>

Index: print-invoice.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/print-invoice.cgi,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -d -r1.10 -r1.11
--- print-invoice.cgi	23 Aug 2006 22:25:38 -0000	1.10
+++ print-invoice.cgi	13 Jan 2008 21:14:19 -0000	1.11
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->print($template);
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->print($template);
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

Index: email-invoice.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/email-invoice.cgi,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -d -r1.6 -r1.7
--- email-invoice.cgi	23 Aug 2006 22:25:38 -0000	1.6
+++ email-invoice.cgi	13 Jan 2008 21:14:19 -0000	1.7
@@ -1,18 +1,19 @@
-%
-%
-%#untaint invnum
-%my($query) = $cgi->keywords;
-%$query =~ /^((.+)-)?(\d+)$/;
-%my $template = $2;
-%my $invnum = $3;
-%my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
-%die "Can't find invoice!\n" unless $cust_bill;
-%
-%$cust_bill->email($template); 
-%
-%my $custnum = $cust_bill->getfield('custnum');
-%
-%print $cgi->redirect("${p}view/cust_main.cgi?$custnum");
-%
-%
+<% $cgi->redirect("${p}view/cust_main.cgi?$custnum") %>
+<%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Resend invoices');
+
+#untaint invnum
+my($query) = $cgi->keywords;
+$query =~ /^((.+)-)?(\d+)$/;
+my $template = $2;
+my $invnum = $3;
+my $cust_bill = qsearchs('cust_bill',{'invnum'=>$invnum});
+die "Can't find invoice!\n" unless $cust_bill;
+
+$cust_bill->email($template); 
+
+my $custnum = $cust_bill->getfield('custnum');
+
+</%init>

Index: payment.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/payment.cgi,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- payment.cgi	29 Nov 2007 02:54:50 -0000	1.16
+++ payment.cgi	13 Jan 2008 21:14:19 -0000	1.17
@@ -217,6 +217,9 @@
 <% include('/elements/footer.html') %>
 <%init>
 
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Process payment');
+
 my %type = ( 'CARD' => 'credit card',
              'CHEK' => 'electronic check (ACH)',
            );

Index: cust_main-import.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cust_main-import.cgi,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -r1.8 -r1.9
--- cust_main-import.cgi	30 Nov 2007 03:24:40 -0000	1.8
+++ cust_main-import.cgi	13 Jan 2008 21:14:18 -0000	1.9
@@ -97,5 +97,13 @@
 <% include('/elements/footer.html') %>
 
 <%once>
+
 my $req = qq!<font color="#ff0000">*</font>!;
+
 </%once>
+<%init>
+
+die "access denied"
+  unless $FS::CurrentUser::CurrentUser->access_right('Import');
+
+</%init>

Index: cancel_pkg.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cancel_pkg.html,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- cancel_pkg.html	25 Dec 2007 23:49:22 -0000	1.5
+++ cancel_pkg.html	13 Jan 2008 21:14:18 -0000	1.6
@@ -23,7 +23,7 @@
 % if ($method eq 'expire' || $method eq 'adjourn') {
 <TR>
   <TD><% $submit =~ /^(\w*)\s/ %> package on </TD>
-    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date %>">
+    <TD><INPUT TYPE="text" NAME="date" ID="expire_date" VALUE="<% $date |h %>">
         <IMG SRC="<% $p %>images/calendar.png" ID="expire_button" STYLE="cursor:pointer" TITLE="Select date">
         <BR><I>m/d/y</I>
     </TD>
@@ -42,8 +42,7 @@
 <% include('/elements/tr-select-reason.html',
              'field'          => 'reasonnum',
              'reason_class'   => $class,
-             #XXX these need to be sticky on errors too...
-             #'curr_value'     => '',
+             'curr_value'     => $reasonnum,
              'control_button' => 'document.sc_popup.submit',
           )
 %>
@@ -58,45 +57,53 @@
 </HTML>
 
 <%init>
-my($method, $pkgnum, $reasonnum, $submit, $cust_pkg, $part_pkg,
-   $date, $curuser, $class); 
-$date = time2str("%m/%d/%Y", time);
+
+my $date = time2str("%m/%d/%Y", time);
+
+my($pkgnum, $reasonnum);
 if ( $cgi->param('error') ) {
-  $method        = $cgi->param('method');
-  $pkgnum        = $cgi->param('pkgnum');
-  $reasonnum     = $cgi->param('reasonnum');
-  $date = $cgi->param('date');
+  $pkgnum    = $cgi->param('pkgnum');
+  $reasonnum = $cgi->param('reasonnum');
+  $date      = $cgi->param('date');
 } elsif ( $cgi->param('pkgnum') =~ /^(\d+)$/ ) {
-  $pkgnum  = $1;
+  $pkgnum    = $1;
+  $reasonnum = '';
 } else {
   die "illegal query ". $cgi->keywords;
 }
 
-$method = $cgi->param('method');
+$cgi->param('method') =~ /^(\w+)$/ or die 'illegal method';
+my $method = $1;
+
+my($class, $submit, $right);
 if ($method eq 'cancel') {
-  $class = 'C';
-  $submit    = "Cancel Now";
-}elsif ($method eq 'expire') {
-  $class = 'C';
-  $submit    = "Cancel Later";
-}elsif ($method eq 'suspend') {
-  $class = 'S';
-  $submit    = "Suspend Now";
-}elsif ($method eq 'adjourn') {
-  $class = 'S';
-  $submit    = "Suspend Later";
-}else{
-  die "illegal query ". $cgi->keywords;
+  $class  = 'C';
+  $submit = 'Cancel Now';
+  $right  = 'Cancel customer package immediately';
+} elsif ($method eq 'expire') {
+  $class  = 'C';
+  $submit = 'Cancel Later';
+  $right  = 'Cancel customer package later';
+} elsif ($method eq 'suspend') {
+  $class  = 'S';
+  $submit = 'Suspend Now';
+  $right  = 'Suspend customer package';
+} elsif ($method eq 'adjourn') {
+  $class  = 'S';
+  $submit = "Suspend Later";
+  $right  = 'Suspend customer package later';
+} else {
+  die 'illegal query (unknown method param)';
 }
 
-my $title = ucfirst($method) . ' Package';
+my $curuser = $FS::CurrentUser::CurrentUser;
+die "access denied" unless $curuser->access_right($right);
 
-$cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum});
-die "No such package: $pkgnum" unless $cust_pkg;
+my $title = ucfirst($method) . ' Package';
 
-$part_pkg = $cust_pkg->part_pkg;
+my $cust_pkg = qsearchs('cust_pkg', {'pkgnum' => $pkgnum})
+  or die "Unknown pkgnum: $pkgnum";
 
-$curuser = $FS::CurrentUser::CurrentUser;
+my $part_pkg = $cust_pkg->part_pkg;
 
 </%init>
-

Index: whois.cgi
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/whois.cgi,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- whois.cgi	23 Aug 2006 22:25:38 -0000	1.3
+++ whois.cgi	13 Jan 2008 21:14:19 -0000	1.4
@@ -1,10 +1,3 @@
-%
-%  my $svcnum = $cgi->param('svcnum');
-%  my $custnum = $cgi->param('custnum');
-%  my $domain = $cgi->param('domain');
-%
-%
-
 <% include("/elements/header.html","Whois $domain", menubar(
   ( $custnum
     ? ( "View this customer (#$custnum)" => "${p}view/cust_main.cgi?$custnum",
@@ -12,16 +5,23 @@
     : ()
   ),
   "View this domain (#$svcnum)" => "${p}view/svc_domain.cgi?$svcnum",
-  "Main menu" => $p,
 )) %>
-% my $whois = eval { whois($domain) };
-%   if ( $@ ) {
-%     ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s;
-%   } else {
-%     $whois =~ s/^\n+//;
-%   }
-%
 
 <PRE><% $whois %></PRE>
-</BODY>
-</HTML>
+
+<% include('/elements/footer.html') %>
+
+<%init>
+
+my $svcnum = $cgi->param('svcnum');
+my $custnum = $cgi->param('custnum');
+my $domain = $cgi->param('domain');
+
+my $whois = eval { whois($domain) };
+  if ( $@ ) {
+    ( $whois = $@ ) =~ s/ at \/.*Net\/Whois\/Raw\.pm line \d+.*$//s;
+  } else {
+    $whois =~ s/^\n+//;
+  }
+
+</%init>

Index: cancel_cust.html
===================================================================
RCS file: /home/cvs/cvsroot/freeside/httemplate/misc/cancel_cust.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- cancel_cust.html	25 Dec 2007 23:49:22 -0000	1.2
+++ cancel_cust.html	13 Jan 2008 21:14:18 -0000	1.3
@@ -50,6 +50,8 @@
 
 $curuser = $FS::CurrentUser::CurrentUser;
 
+die "access denied" unless $curuser->access_right('Cancel customer');
+
 $cust_main = qsearchs( {
   'table'     => 'cust_main',
   'hashref'   => { 'custnum' => $custnum },



More information about the freeside-commits mailing list