Андрей (andy) wrote in changelog,
Андрей
andy
changelog

[ljcom] r12051: LJSUP-12314 (Moneyview priv for SUP-staf...

Committer: ailyin
LJSUP-12314 (Moneyview priv for SUP-staff); original patch by azateev
U   trunk/htdocs/admin/accounts/paiddetails.bml
Modified: trunk/htdocs/admin/accounts/paiddetails.bml
===================================================================
--- trunk/htdocs/admin/accounts/paiddetails.bml	2012-06-01 11:49:34 UTC (rev 12050)
+++ trunk/htdocs/admin/accounts/paiddetails.bml	2012-06-01 13:59:02 UTC (rev 12051)
@@ -34,17 +34,17 @@
     my $remote = LJ::get_remote()
         or return $err->("<?needlogin?>");
 
-    # what types of privs does the user have:
-    # 1) viewall - moneyview
-    # 2) viewsearch - moneysearch or moneyview
-    my $viewall    = LJ::check_priv($remote, "moneyview") || $LJ::IS_DEV_SERVER;
-    my $viewsearch = $viewall || LJ::check_priv($remote, "moneysearch");
-
-    # error unless the user has at least viewsearch
-    unless ($viewsearch) {
-        return $err->("You don't have access to see this, or you're not logged in.");
+    unless ( LJ::check_priv( $remote, 'moneyview' ) ) {
+        return $err->("You don't have access to see this.");
     }
 
+    my %restricted_payvars = map { $_ => 1 } qw(
+        creator_ip avs cardname cc_sig email ip
+        ppemail pplastname geoip-country
+    );
+
+    my $can_view_all_payvars = LJ::check_priv( $remote, 'moneyview', 'full' );
+
     # what payid is the user attempting to view? (remove "-anum" portion
     my $payid = (split("-", $GET{payid} || $POST{payid}))[0]+0;
 
@@ -61,11 +61,6 @@
     my $pmt = LJ::Pay::Payment->load( payid => $payid )
         or return $err->("Unable to load cart: $@");
 
-    # if a user has moneysearch but not moneyview, they must explicitly specify a userid argument
-    my $userid = $GET{userid} || $POST{userid};
-    return $err->("Invalid payment ID, or missing arguments")
-        unless $viewall || $pmt->{userid} eq $userid;
-
     my $ret;
 
     # is this a render-able cart?
@@ -179,6 +174,9 @@
     $ret .= "<p>";
     foreach my $k (sort keys %$payvars) {
         my $v = $payvars->{$k};
+        if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { 
+            $v = '***';
+        }
         $ret .= "<tt><b>$k</b></tt> = $v<br />\n";
     }
 
@@ -211,6 +209,9 @@
     $sth = $dbh->prepare("SELECT ikey, ival FROM paymentsearch WHERE payid=?");
     $sth->execute($pmt->{payid});
     while (my ($k, $v) = $sth->fetchrow_array) {
+        if ( $restricted_payvars{$k} && ! $can_view_all_payvars ) { 
+            $v = '***';
+        }
         $ret .= "<tt><b>$k</b></tt> = $v<br />\n";
     }
     $ret .= "</p>";

Tags: ailyin, andy, bml, ljcom
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments