Unable to send confirmation email from the Order manager
Locked
Unable to send confirmation email from the Order manager
 
|
The ordermgr/control/confirmationmailedit page generates an email with
this in the body: <p>NOTE: This is a DEMO store-front. Orders placed here will NOT be billed, and will NOT be fulfilled.</p> <div class="head1">Order not found with ID [WS10000], or not allowed to view.</div> The orderstatus.bsh script will only display the correct page if you are logged in as the same party that made the order. I was able to fix this by checking security.hasEntityPermission("ORDERMGR", "_VIEW", session), but is this the way it should be checking for the view permissions? -Nick Index: applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh =================================================================== --- applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (revision 510737) +++ applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (working copy) @@ -47,10 +47,13 @@ orderHeader = delegator.findByPrimaryKey("OrderHeader", UtilMisc.toMap("orderId", orderId)); productStore = orderHeader.getRelatedOneCache("ProductStore"); if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore")); - + // check OrderRole to make sure the user can view this order. This check must be done for any order which is not anonymously placed and // any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking - if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) { + // Also, check to see if user has view permissons to view the order + hasPermissions = security.hasEntityPermission("ORDERMGR", "_VIEW", session); + + if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView))) && !hasPermissions) { orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER"))); if (userLogin == null || orderRole == null) { |
|
|
Nick Olson wrote:
> The ordermgr/control/confirmationmailedit page generates an email with > this in the body: > > <p>NOTE: This is a DEMO store-front. Orders placed here will NOT be > billed, and will NOT be fulfilled.</p> > > <div class="head1">Order not found with ID [WS10000], or not allowed to > view.</div> > > The orderstatus.bsh script will only display the correct page if you are > logged in as the same party that made the order. I was able to fix this > by checking security.hasEntityPermission("ORDERMGR", "_VIEW", session), > but is this the way it should be checking for the view permissions? > > -Nick > > ------------------------------------------------------------------------ > > Index: applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh > =================================================================== > --- applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (revision 510737) > +++ applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (working copy) > @@ -47,10 +47,13 @@ > orderHeader = delegator.findByPrimaryKey("OrderHeader", UtilMisc.toMap("orderId", orderId)); > productStore = orderHeader.getRelatedOneCache("ProductStore"); > if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore")); > - > + > // check OrderRole to make sure the user can view this order. This check must be done for any order which is not anonymously placed and > // any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking > - if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) { > + // Also, check to see if user has view permissons to view the order > + hasPermissions = security.hasEntityPermission("ORDERMGR", "_VIEW", session); > + > + if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView))) && !hasPermissions) { > orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER"))); > > if (userLogin == null || orderRole == null) { > security fixes may have broken this. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |