Re: svn commit: r1059180 - in /ofbiz/trunk: applications/order/script/org/
Locked
Re: svn commit: r1059180 - in /ofbiz/trunk: applications/order/script/org/
 
Administrator
|
Hi Scott,
I see now that you introduced the fullPath="true" stuff at http://svn.apache.org/viewvc?rev=935146&view=rev. Is it really needed there? Thanks Jacques From: <[hidden email]> > Author: jleroux > Date: Fri Jan 14 21:47:23 2011 > New Revision: 1059180 > > URL: http://svn.apache.org/viewvc?rev=1059180&view=rev > Log: > A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce" > (https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075 > > If I cancel an order item from ecommerce. I get, the below error displayed on the page. > The Following Errors Occurred: > Unable to cancel order line : WSCO11640 / 00001 / null > > There have been a discussion about it in this thread http://markmail.org/message/dfkudyvbksvls333 > > How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added > the later to Sascha's patch, else the order manager would be annoyed ;o) > I think this makes sense, because AFAIK there are no other UIs than > https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=... > and > https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=... > to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could > have missed something, thanks > > Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid > InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call > with hidden orderItemSeqId parameter. > > Modified: > ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml > ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml > ofbiz/trunk/applications/order/servicedef/services.xml > ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl > > Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059180&r1=1059179&r2=1059180&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml (original) > +++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml Fri Jan 14 21:47:23 2011 > @@ -599,10 +599,6 @@ under the License. > </simple-method> > > <simple-method method-name="recreateOrderAdjustments" short-description="Auto create OrderAdjustments"> > - <check-permission permission="ORDERMGR" action="_UPDATE"> > - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/> > - </check-permission> > - <check-errors/> > <entity-one entity-name="OrderHeader" value-field="order" auto-field-map="true"/> > <!-- all existing promo order items are cancelled --> > <get-related value-field="order" relation-name="OrderItem" list="orderItems"/> > > Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059180&r1=1059179&r2=1059180&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml (original) > +++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml Fri Jan 14 21:47:23 2011 > @@ -20,12 +20,44 @@ under the License. > > <simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd"> > + > + <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter > + Only the order owner should be able to cancel an item from Ecommerce > + --> > + <simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party contact mech permission logic"> > + <if-empty field="parameters.partyId"> > + <set field="parameters.partyId" from-field="userLogin.partyId"/> > + </if-empty> > + <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals"> > + <set field="hasPermission" type="Boolean" value="true"/> > + <field-to-result field="hasPermission"/> > + <else> > + <set field="primaryPermission" value="ORDERMGR"/> > + <set field="altPermission" value="ORDERMGR_ROLE"/> > + <set field="mainAction" from-field="parameters.mainAction"/> > + <call-simple-method method-name="genericBasePermissionCheck" > xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/> > + <if-compare field="hasPermission" operator="not-equals" value="true"> > + <set field="resourceDescription" from-field="parameters.resourceDescription"/> > + <if-empty field="resourceDescription"> > + <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation" > field="resourceDescription"/> > + </if-empty> > + <if-compare field="mainAction" value="CREATE" operator="equals"> > + <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement" > field="failMessage"/> > + </if-compare> > + <if-compare field="mainAction" value="UPDATE" operator="equals"> > + <property-to-field resource="OrderErrorUiLabels" > property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/> > + </if-compare> > + <set field="hasPermission" type="Boolean" value="false"/> > + <field-to-result field="failMessage"/> > + <else> > + <field-to-result field="hasPermission"/> > + </else> > + </if-compare> > + </else> > + </if-compare-field> > + </simple-method> > + > <simple-method method-name="createOrderAdjustment" short-description="Create an OrderAdjustment"> > - <check-permission permission="ORDERMGR" action="_CREATE"> > - <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/> > - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"/> > - </check-permission> > - <check-errors/> > > <make-value entity-name="OrderAdjustment" value-field="newEntity"/> > <set-nonpk-fields map="parameters" value-field="newEntity"/> > > Modified: ofbiz/trunk/applications/order/servicedef/services.xml > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1059180&r1=1059179&r2=1059180&view=diff > ============================================================================== > --- ofbiz/trunk/applications/order/servicedef/services.xml (original) > +++ ofbiz/trunk/applications/order/servicedef/services.xml Fri Jan 14 21:47:23 2011 > @@ -181,9 +181,20 @@ under the License. > <attribute name="shipmentReceiptId" type="String" mode="IN" optional="true"/> > </service> > > + <service name="orderAdjustmentPermissionCheck" engine="simple" > + location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" > invoke="orderAdjustmentPermissionCheck"> > + <description> > + Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter. > + Only the order owner should be able to cancel an item from Ecommerce. > + </description> > + <implements service="permissionInterface"/> > + <attribute name="partyId" type="String" mode="IN" optional="true"/> > + </service> > + > <service name="createOrderAdjustment" default-entity-name="OrderAdjustment" engine="simple" > location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="createOrderAdjustment"> > <description>Creates a new order adjustment record</description> > + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="CREATE"/> > <auto-attributes mode="OUT" include="pk" optional="false"/> > <auto-attributes mode="IN" include="nonpk" optional="true"/> > <override name="orderAdjustmentTypeId" optional="false"/> > @@ -355,6 +366,7 @@ under the License. > <service name="recreateOrderAdjustments" engine="simple" auth="true" > location="component://order/script/org/ofbiz/order/order/OrderServices.xml" invoke="recreateOrderAdjustments"> > <description>Remove all existing order adjustments, recalc them and persist in OrderAdjustment.</description> > + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="UPDATE"/> > <attribute name="orderId" type="String" mode="IN" optional="false"/> > </service> > > > Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl > URL: > http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=1059180&r1=1059179&r2=1059180&view=diff > ============================================================================== > --- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl (original) > +++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl Fri Jan 14 21:47:23 2011 > @@ -222,7 +222,7 @@ under the License. > ${uiLabelMap.CommonComments} > <input class="inputBox" type="text" name="icm_${orderItem.orderItemSeqId}" value="" size="30" maxlength="60"/> > </td> > - <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl > fullPath="true">cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()" > class="buttontext">${uiLabelMap.CommonCancel}</a> > + <td colspan="4"><a > href="javascript:document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()" > class="buttontext">${uiLabelMap.CommonCancel}</a> > <input type="hidden" name="orderItemSeqId" value="${orderItem.orderItemSeqId}"/> > </td> > </tr> > > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |