Committer: ailyin
LJSUP-12314 (Moneyview priv for SUP-staff); original patch by azateevU trunk/htdocs/admin/accounts/paiddetails.bml
Modified: trunk/htdocs/admin/accounts/paiddetails.bml =================================================================== --- trunk/htdocs/admin/accounts/paiddetails.bml 2012-06-01 11:49:34 UTC (rev 12050) +++ trunk/htdocs/admin/accounts/paiddetails.bml 2012-06-01 13:59:02 UTC (rev 12051) @@ -34,17 +34,17 @@ my $remote = LJ::get_remote() or return $err->("<?needlogin?>"); - # what types of privs does the user have: - # 1) viewall - moneyview - # 2) viewsearch - moneysearch or moneyview - my $viewall = LJ::check_priv($remote, "moneyview") || $LJ::IS_DEV_SERVER; - my $viewsearch = $viewall || LJ::check_priv($remote, "moneysearch"); - - # error unless the user has at least viewsearch - unless ($viewsearch) { - return $err->("You don't have access to see this, or you're not logged in."); + unless ( LJ::check_priv( $remote, 'moneyview' ) ) { + return $err->("You don't have access to see this."); } + my %restricted_payvars = map { $_ => 1 } qw( + creator_ip avs cardname cc_sig email ip + ppemail pplastname geoip-country + ); + + my $can_view_all_payvars = LJ::check_priv( $remote, 'moneyview', 'full' ); + # what payid is the user attempting to view? (remove "-anum" portion my $payid = (split("-", $GET{payid} || $POST{payid}))[0]+0; @@ -61,11 +61,6 @@ my $pmt = LJ::Pay::Payment->load( payid => $payid ) or return $err->("Unable to load cart: $@"); - # if a user has moneysearch but not moneyview, they must explicitly specify a userid argument - my $userid = $GET{userid} || $POST{userid}; - return $err->("Invalid payment ID, or missing arguments") - unless $viewall || $pmt->{userid} eq $userid; - my $ret; # is this a render-able cart? @@ -179,6 +174,9 @@ $ret .= "<p>"; foreach my $k (sort keys %$payvars) { my $v = $payvars->{$k}; + if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { + $v = '***'; + } $ret .= "<tt><b>$k</b></tt> = $v<br />\n"; } @@ -211,6 +209,9 @@ $sth = $dbh->prepare("SELECT ikey, ival FROM paymentsearch WHERE payid=?"); $sth->execute($pmt->{payid}); while (my ($k, $v) = $sth->fetchrow_array) { + if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { + $v = '***'; + } $ret .= "<tt><b>$k</b></tt> = $v<br />\n"; } $ret .= "</p>";