Re: svn commit: r1059185 - in /ofbiz/branches/release09.04: ./ applications/order/script/org/ofbiz/order/order/OrderServices.xml applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml applications/order/servicedef/services.xml

> Author: jleroux
> Date: Fri Jan 14 22:11:07 2011
> New Revision: 1059185
>
> URL: http://svn.apache.org/viewvc?rev=1059185&view=rev
> Log:
> "Applied fix from trunk for revision: 1059180"
> ------------------------------------------------------------------------
> r1059180 | jleroux | 2011-01-14 22:47:23 +0100 (ven., 14 janv. 2011) | 16 lines
>
> A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce"
> (https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075
>
> If I cancel an order item from ecommerce. I get, the below error displayed on the page.
> The Following Errors Occurred:
> Unable to cancel order line : WSCO11640 / 00001 / null
>
> There have been a discussion about it in this thread http://markmail.org/message/dfkudyvbksvls333
>
> How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added
> the later to Sascha's patch, else the order manager would be annoyed ;o)
> I think this makes sense, because AFAIK there are no other UIs than
> https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
> and
> https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...
> to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could
> have missed something, thanks
>
> Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid
> InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call
> with hidden orderItemSeqId parameter.
> ------------------------------------------------------------------------
> 
>
> Modified:
>    ofbiz/branches/release09.04/   (props changed)
>    ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
>    ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
>    ofbiz/branches/release09.04/applications/order/servicedef/services.xml
>
> Propchange: ofbiz/branches/release09.04/
> ------------------------------------------------------------------------------
> --- svn:mergeinfo (original)
> +++ svn:mergeinfo Fri Jan 14 22:11:07 2011
> @@ -1 +1 @@
> -/ofbiz/trunk:765933,766011,766015,766293,766307,766316,766325,766462,766522,766800,767060,767072,767093,767098-767099,767102,767123,767125,767127,767279,767287,767671,767688,767694,767822,767845,768358,768490,768550,768675,768686,768705,768811,768815,768960,769030,769500,770272,770308,770997,771073,771477,772401,772464-772465,773076,773557,773628,773659,773697,774014,774632,774661,774995,775292,775667,776227,776594,776620,776922,777004,777020,777768,777792,777893,777947,778078,778094,778107,778273,778278,778280,778364,778374,778402,778576,778594,778628,779020,779477,779496,779639,779834,779856,779866,779873,780111,780138,780180,780199,780203,780906,780945,781201,781534,781549,781669,781680,781694,782663,783257,783266,783833,783913,783917,785123,785764,785967,786778,787126,787435-787436,787442,787520,788965,788983,788987,789329,789337,789506,789548,796769,799185,800461,800846,801023,802346,804364,805307,806127,806377,806914,808786-808787,808792,809141,810370,810438,810465,8

> 7,928166,928171,928180,928470,928477,929582,931594-931595,933157,935494,936817,941047,941431,941440,942884,943168,944895,945118,948017,950866,950870,950893,951005,951062,951098,951367,951381,951672,953294,953671,954135,954956,958343,958514,958521,960997,964558,965470,965916,966785,967098,978893,980641-980642,980935,981051,981104,981123,981288,983920,985718,985856,985902,990339,995686,996069,996078-996079,996563,997419-997420,997440,1003434,1003450,1004139,1037567,1040044,1042009,1042034,1042038,1042132,1042188,1042317,1042348,1042411,1043996-1043998,1050602,1056305,1057519,1058488,1059180
>
> Modified: ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
> ==============================================================================
> --- ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml (original)
> +++ ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml Fri Jan 14 22:11:07 2011
> @@ -552,10 +552,6 @@ under the License.
>     </simple-method>
>
>     <simple-method method-name="recreateOrderAdjustments" short-description="Auto create OrderAdjustments">
> -        <check-permission permission="ORDERMGR" action="_UPDATE">
> -            <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
> -        </check-permission>
> -        <check-errors/>
>         <entity-one entity-name="OrderHeader" value-field="order" auto-field-map="true"/>
>         <!-- all existing promo order items are cancelled -->
>         <get-related value-field="order" relation-name="OrderItem" list="orderItems"/>
>
> Modified: ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
> ==============================================================================
> --- ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml (original)
> +++ ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml Fri Jan 14 22:11:07 2011
> @@ -20,12 +20,44 @@ under the License.
>
> <simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>         xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd">
> +
> +    <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter
> +         Only the order owner should be able to cancel an item from Ecommerce
> +    -->
> +    <simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party contact mech permission logic">
> +        <if-empty field="parameters.partyId">
> +            <set field="parameters.partyId" from-field="userLogin.partyId"/>
> +        </if-empty>
> +        <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals">
> +            <set field="hasPermission" type="Boolean" value="true"/>
> +            <field-to-result field="hasPermission"/>
> +            <else>
> +                <set field="primaryPermission" value="ORDERMGR"/>
> +                <set field="altPermission" value="ORDERMGR_ROLE"/>
> +                <set field="mainAction" from-field="parameters.mainAction"/>
> +                <call-simple-method method-name="genericBasePermissionCheck"
> xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
> +                <if-compare field="hasPermission" operator="not-equals" value="true">
> +                    <set field="resourceDescription" from-field="parameters.resourceDescription"/>
> +                    <if-empty field="resourceDescription">
> +                        <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
> field="resourceDescription"/>
> +                    </if-empty>
> +                    <if-compare field="mainAction" value="CREATE" operator="equals">
> +                        <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"
> field="failMessage"/>
> +                    </if-compare>
> +                    <if-compare field="mainAction" value="UPDATE" operator="equals">
> +                        <property-to-field resource="OrderErrorUiLabels"
> property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
> +                    </if-compare>
> +                    <set field="hasPermission" type="Boolean" value="false"/>
> +                    <field-to-result field="failMessage"/>
> +                    <else>
> +                        <field-to-result field="hasPermission"/>
> +                    </else>
> +                </if-compare>
> +            </else>
> +        </if-compare-field>
> +    </simple-method>
> +
>     <simple-method method-name="createOrderAdjustment" short-description="Create an OrderAdjustment">
> -        <check-permission permission="ORDERMGR" action="_CREATE">
> -            <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
> -            <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
> -        </check-permission>
> -        <check-errors/>
>
>         <make-value entity-name="OrderAdjustment" value-field="newEntity"/>
>         <set-nonpk-fields map="parameters" value-field="newEntity"/>
>
> Modified: ofbiz/branches/release09.04/applications/order/servicedef/services.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/servicedef/services.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
> ==============================================================================
> --- ofbiz/branches/release09.04/applications/order/servicedef/services.xml (original)
> +++ ofbiz/branches/release09.04/applications/order/servicedef/services.xml Fri Jan 14 22:11:07 2011
> @@ -177,9 +177,20 @@ under the License.
>         <attribute name="shipmentReceiptId" type="String" mode="IN" optional="true"/>
>     </service>
>
> +    <service name="orderAdjustmentPermissionCheck" engine="simple"
> +            location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
> invoke="orderAdjustmentPermissionCheck">
> +        <description>
> +            Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter.
> +            Only the order owner should be able to cancel an item from Ecommerce.
> +        </description>
> +        <implements service="permissionInterface"/>
> +        <attribute name="partyId" type="String" mode="IN" optional="true"/>
> +    </service>
> +
>     <service name="createOrderAdjustment" default-entity-name="OrderAdjustment" engine="simple"
>             location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="createOrderAdjustment">
>         <description>Creates a new order adjustment record</description>
> +        <permission-service service-name="orderAdjustmentPermissionCheck" main-action="CREATE"/>
>         <auto-attributes mode="OUT" include="pk" optional="false"/>
>         <auto-attributes mode="IN" include="nonpk" optional="true"/>
>         <override name="orderAdjustmentTypeId" optional="false"/>
> @@ -347,6 +358,7 @@ under the License.
>     <service name="recreateOrderAdjustments" engine="simple" auth="true"
>             location="component://order/script/org/ofbiz/order/order/OrderServices.xml" invoke="recreateOrderAdjustments">
>         <description>Remove all existing order adjustments, recalc them and persist in OrderAdjustment.</description>
> +        <permission-service service-name="orderAdjustmentPermissionCheck" main-action="UPDATE"/>
>         <attribute name="orderId" type="String" mode="IN" optional="false"/>
>     </service>
>
>
>