don't redirect to a GET with sensitive data, RT#26099

[freeside.git] / httemplate / edit / cust_main.cgi

diff --git a/httemplate/edit/cust_main.cgi b/httemplate/edit/cust_main.cgi
index 414043e..9e1b4b0 100755 (executable)
--- a/httemplate/edit/cust_main.cgi
+++ b/httemplate/edit/cust_main.cgi
@@ -26,7 +26,8 @@
 <& cust_main/top_misc.html, $cust_main, 'custnum' => $custnum  &>
 
 %# birthdate
-% if (    $conf->exists('cust_main-enable_birthdate')
+% if (    $conf->config('national_id-country')
+%      || $conf->exists('cust_main-enable_birthdate')
 %      || $conf->exists('cust_main-enable_spouse_birthdate')
 %      || $conf->exists('cust_main-enable_anniversary_date')
 %    )
@@ -78,7 +79,9 @@ function bill_changed(what) {
     function fix_ship_city() {
       what.form.ship_city_select.selectedIndex = what.form.city_select.selectedIndex;
       what.form.ship_city.style.display = what.form.city.style.display;
-      what.form.ship_city_select.style.display = what.form.city_select.style.display;
+      if ( what.form.ship_city_select ) {
+        what.form.ship_city_select.style.display = what.form.city_select.style.display;
+      }
     }
 
     function fix_ship_county() {
@@ -99,11 +102,15 @@ function samechanged(what) {
   if ( what.checked ) {
     bill_changed(what);
 
-%   my @fields = qw( last first company address1 address2 city city_select county state zip country latitude longitude daytime night fax mobile );
+%   my @fields = qw( last first company address1 address2 city county state zip country latitude longitude daytime night fax mobile );
 %   for (@fields) { 
       what.form.ship_<%$_%>.disabled = true;
       what.form.ship_<%$_%>.style.backgroundColor = '#dddddd';
-%   } 
+%   }
+    if ( what.form.ship_city_select ) {
+      what.form.ship_city_select.disabled = true;
+      what.form.ship_city_select.style.backgroundColor = '#dddddd';
+    }
 
 %   if ( $conf->exists('cust_main-require_address2') ) {
       document.getElementById('address2_required').style.visibility = '';
@@ -133,7 +140,7 @@ function samechanged(what) {
 <BR>
 <FONT SIZE="+1"><B><% mt('Service address') |h %></B></FONT>
 
-(<INPUT TYPE="checkbox" NAME="same" VALUE="Y" onClick="samechanged(this)" <%$same_checked%>><% mt('same as billing address') |h %>)
+(<INPUT TYPE="checkbox" ID="same" NAME="same" VALUE="Y" onClick="samechanged(this)" <%$same_checked%>><% mt('same as billing address') |h %>)
 <& cust_main/contact.html,
              'cust_main' => $cust_main,
              'pre'       => 'ship_',
@@ -234,6 +241,8 @@ my %svc_dsl = ();
 my $prospectnum = '';
 my $locationnum = '';
 
+$m->comp('/elements/handle_uri_query', 'secure'=>1);
+
 if ( $cgi->param('error') ) {
 
   $cust_main = new FS::cust_main ( {
@@ -252,6 +261,8 @@ if ( $cgi->param('error') ) {
   $stateid = $cust_main->stateid; # don't mask an entered value on errors
   $payinfo = $cust_main->payinfo; # don't mask an entered value on errors
 
+  $cust_main->national_id( $cgi->param('national_id1') || $cgi->param('national_id2') );
+
   $prospectnum = $cgi->param('prospectnum') || '';
 
   $pkgpart_svcpart = $cgi->param('pkgpart_svcpart') || '';
@@ -285,7 +296,8 @@ if ( $cgi->param('error') ) {
   my( $query ) = $cgi->keywords;
   $query =~ /^(\d+)$/;
   $custnum=$1;
-  $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } );
+  $cust_main = qsearchs('cust_main', { 'custnum' => $custnum } )
+    or die "custnum $custnum not found";
   if ( $cust_main->dbdef_table->column('paycvv')
        && length($cust_main->paycvv)             ) {
     my $paycvv = $cust_main->paycvv;
@@ -315,6 +327,8 @@ if ( $cgi->param('error') ) {
   $stateid = '';
   $payinfo = '';
 
+  $cgi->param('tagnum', FS::part_tag->default_tags);
+
   if ( $cgi->param('qualnum') =~ /^(\d+)$/ ) {
     my $qualnum = $1;
     my $qual = qsearchs('qual', { 'qualnum' => $qualnum } )