[ljcom] r12051: LJSUP-12314 (Moneyview priv for SUP-staf...: changelog

Committer: ailyin

LJSUP-12314 (Moneyview priv for SUP-staff); original patch by azateev

U   trunk/htdocs/admin/accounts/paiddetails.bml

Modified: trunk/htdocs/admin/accounts/paiddetails.bml
===================================================================
--- trunk/htdocs/admin/accounts/paiddetails.bml	2012-06-01 11:49:34 UTC (rev 12050)
+++ trunk/htdocs/admin/accounts/paiddetails.bml	2012-06-01 13:59:02 UTC (rev 12051)
@@ -34,17 +34,17 @@
     my $remote = LJ::get_remote()
         or return $err->("<?needlogin?>");
 
-    # what types of privs does the user have:
-    # 1) viewall - moneyview
-    # 2) viewsearch - moneysearch or moneyview
-    my $viewall    = LJ::check_priv($remote, "moneyview") || $LJ::IS_DEV_SERVER;
-    my $viewsearch = $viewall || LJ::check_priv($remote, "moneysearch");
-
-    # error unless the user has at least viewsearch
-    unless ($viewsearch) {
-        return $err->("You don't have access to see this, or you're not logged in.");
+    unless ( LJ::check_priv( $remote, 'moneyview' ) ) {
+        return $err->("You don't have access to see this.");
     }
 
+    my %restricted_payvars = map { $_ => 1 } qw(
+        creator_ip avs cardname cc_sig email ip
+        ppemail pplastname geoip-country
+    );
+
+    my $can_view_all_payvars = LJ::check_priv( $remote, 'moneyview', 'full' );
+
     # what payid is the user attempting to view? (remove "-anum" portion
     my $payid = (split("-", $GET{payid} || $POST{payid}))[0]+0;
 
@@ -61,11 +61,6 @@
     my $pmt = LJ::Pay::Payment->load( payid => $payid )
         or return $err->("Unable to load cart: $@");
 
-    # if a user has moneysearch but not moneyview, they must explicitly specify a userid argument
-    my $userid = $GET{userid} || $POST{userid};
-    return $err->("Invalid payment ID, or missing arguments")
-        unless $viewall || $pmt->{userid} eq $userid;
-
     my $ret;
 
     # is this a render-able cart?
@@ -179,6 +174,9 @@
     $ret .= "<p>";
     foreach my $k (sort keys %$payvars) {
         my $v = $payvars->{$k};
+        if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { 
+            $v = '***';
+        }
         $ret .= "<tt><b>$k</b></tt> = $v<br />\n";
     }
 
@@ -211,6 +209,9 @@
     $sth = $dbh->prepare("SELECT ikey, ival FROM paymentsearch WHERE payid=?");
     $sth->execute($pmt->{payid});
     while (my ($k, $v) = $sth->fetchrow_array) {
+        if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { 
+            $v = '***';
+        }
         $ret .= "<tt><b>$k</b></tt> = $v<br />\n";
     }
     $ret .= "</p>";

Post a new comment
Error

Anonymous comments are disabled in this journal
We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

We will log you in after post

Anonymously

switch

LiveJournal

Facebook

Twitter

OpenId

Google

MailRu

VKontakte

Anonymously

default userpic

Your reply will be screened

Your IP address will be recorded

Preview comment

Help
0 comments

Post a new comment
0 comments

Log in

[ljcom] r12051: LJSUP-12314 (Moneyview priv for SUP-staf...

Error