Committer: ailyin
LJSUP-12314 (Moneyview priv for SUP-staff); original patch by azateevU trunk/htdocs/admin/accounts/paiddetails.bml
Modified: trunk/htdocs/admin/accounts/paiddetails.bml
===================================================================
--- trunk/htdocs/admin/accounts/paiddetails.bml 2012-06-01 11:49:34 UTC (rev 12050)
+++ trunk/htdocs/admin/accounts/paiddetails.bml 2012-06-01 13:59:02 UTC (rev 12051)
@@ -34,17 +34,17 @@
my $remote = LJ::get_remote()
or return $err->("<?needlogin?>");
- # what types of privs does the user have:
- # 1) viewall - moneyview
- # 2) viewsearch - moneysearch or moneyview
- my $viewall = LJ::check_priv($remote, "moneyview") || $LJ::IS_DEV_SERVER;
- my $viewsearch = $viewall || LJ::check_priv($remote, "moneysearch");
-
- # error unless the user has at least viewsearch
- unless ($viewsearch) {
- return $err->("You don't have access to see this, or you're not logged in.");
+ unless ( LJ::check_priv( $remote, 'moneyview' ) ) {
+ return $err->("You don't have access to see this.");
}
+ my %restricted_payvars = map { $_ => 1 } qw(
+ creator_ip avs cardname cc_sig email ip
+ ppemail pplastname geoip-country
+ );
+
+ my $can_view_all_payvars = LJ::check_priv( $remote, 'moneyview', 'full' );
+
# what payid is the user attempting to view? (remove "-anum" portion
my $payid = (split("-", $GET{payid} || $POST{payid}))[0]+0;
@@ -61,11 +61,6 @@
my $pmt = LJ::Pay::Payment->load( payid => $payid )
or return $err->("Unable to load cart: $@");
- # if a user has moneysearch but not moneyview, they must explicitly specify a userid argument
- my $userid = $GET{userid} || $POST{userid};
- return $err->("Invalid payment ID, or missing arguments")
- unless $viewall || $pmt->{userid} eq $userid;
-
my $ret;
# is this a render-able cart?
@@ -179,6 +174,9 @@
$ret .= "<p>";
foreach my $k (sort keys %$payvars) {
my $v = $payvars->{$k};
+ if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) {
+ $v = '***';
+ }
$ret .= "<tt><b>$k</b></tt> = $v<br />\n";
}
@@ -211,6 +209,9 @@
$sth = $dbh->prepare("SELECT ikey, ival FROM paymentsearch WHERE payid=?");
$sth->execute($pmt->{payid});
while (my ($k, $v) = $sth->fetchrow_array) {
+ if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) {
+ $v = '***';
+ }
$ret .= "<tt><b>$k</b></tt> = $v<br />\n";
}
$ret .= "</p>";
