svn commit: r1059183 - in /ofbiz/branches/release10.04: ./ applications/order/script/org/
Locked
svn commit: r1059183 - in /ofbiz/branches/release10.04: ./ applications/order/script/org/
 
|
Author: jleroux
Date: Fri Jan 14 21:58:37 2011 New Revision: 1059183 URL: http://svn.apache.org/viewvc?rev=1059183&view=rev Log: "Applied fix from trunk for revision: 1059180" ------------------------------------------------------------------------ r1059180 | jleroux | 2011-01-14 22:47:23 +0100 (ven., 14 janv. 2011) | 16 lines A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce" (https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075 If I cancel an order item from ecommerce. I get, the below error displayed on the page. The Following Errors Occurred: Unable to cancel order line : WSCO11640 / 00001 / null There have been a discussion about it in this thread http://markmail.org/message/dfkudyvbksvls333 How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added the later to Sascha's patch, else the order manager would be annoyed ;o) I think this makes sense, because AFAIK there are no other UIs than https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=... and https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=... to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could have missed something, thanks Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call with hidden orderItemSeqId parameter. ------------------------------------------------------------------------ Modified: ofbiz/branches/release10.04/ (props changed) ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml ofbiz/branches/release10.04/applications/order/servicedef/services.xml ofbiz/branches/release10.04/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl Propchange: ofbiz/branches/release10.04/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Jan 14 21:58:37 2011 @@ -1,3 +1,3 @@ /ofbiz/branches/addbirt:831210-885099,885686-886087 /ofbiz/branches/multitenant20100310:921280-927264 -/ofbiz/trunk:939988,939990,939999,940025,940053,940234,940248,940309,940401,940410,940425,940779,940815,940849,940851,941007,941047,941109,941177,941199,941261,941440,941600,941999,942084,942406,942414,942671,942883-942884,943168,943271-943272,944614,944621,944623,944647,944669,944797,944895,945010,945018,945026,945118,945573,945578,945580,945582,945610,945619,945848,945852,945857,946061,946066,946073,946075,946080,946309,946313,946320,946322,946596,947004-947005,947392,947424,947679,947988,948017,948694,949174,949710,949844,950866,950870,950893,951005,951062,951098,951251,951367,951381,951672,952232,952249,952270,953294,953671,954135,954583,954733,954956,955568,956022,956206,956340,957160,958343,958514,958521,958752,958758,958769,958953,959456,960143,960491,960997,963610,964558,965470,965916,966525,966785,967098,978806,978893,978939,979104,980641-980642,980935,981051,981104,981123,981288,983920,983930,985163,985298,985473,985718,985856,985902,987841,989166,990127,990339,990 539,991485,993344,993387,995384,995686,996069,996078-996079,996563,997418-997420,997423-997425,997431,997440,997526,997990,998061,998412,998557,1000621,1000725,1000998,1001099,1001131,1001185,1001574,1001849,1001962,1002963,1003434,1003450,1003829,1004139,1027756,1027960,1028053,1028625,1028627,1029600,1030016,1030385,1030390,1033928,1033953,1034138,1034179,1035080,1035084,1036426,1036669,1037507,1037559-1037560,1037567,1037883,1038228,1038990,1039256,1040044,1040091,1042009,1042034,1042038,1042132,1042188,1042222,1042317,1042348,1042396,1042411,1042950,1043861,1043996-1043998,1044047,1044084,1044912,1049031,1050602,1051111,1051450,1051812,1052195,1053285,1053289,1054565,1055057,1056072,1056305,1056803,1057519,1058028,1058056,1058488 +/ofbiz/trunk:939988,939990,939999,940025,940053,940234,940248,940309,940401,940410,940425,940779,940815,940849,940851,941007,941047,941109,941177,941199,941261,941440,941600,941999,942084,942406,942414,942671,942883-942884,943168,943271-943272,944614,944621,944623,944647,944669,944797,944895,945010,945018,945026,945118,945573,945578,945580,945582,945610,945619,945848,945852,945857,946061,946066,946073,946075,946080,946309,946313,946320,946322,946596,947004-947005,947392,947424,947679,947988,948017,948694,949174,949710,949844,950866,950870,950893,951005,951062,951098,951251,951367,951381,951672,952232,952249,952270,953294,953671,954135,954583,954733,954956,955568,956022,956206,956340,957160,958343,958514,958521,958752,958758,958769,958953,959456,960143,960491,960997,963610,964558,965470,965916,966525,966785,967098,978806,978893,978939,979104,980641-980642,980935,981051,981104,981123,981288,983920,983930,985163,985298,985473,985718,985856,985902,987841,989166,990127,990339,990 539,991485,993344,993387,995384,995686,996069,996078-996079,996563,997418-997420,997423-997425,997431,997440,997526,997990,998061,998412,998557,1000621,1000725,1000998,1001099,1001131,1001185,1001574,1001849,1001962,1002963,1003434,1003450,1003829,1004139,1027756,1027960,1028053,1028625,1028627,1029600,1030016,1030385,1030390,1033928,1033953,1034138,1034179,1035080,1035084,1036426,1036669,1037507,1037559-1037560,1037567,1037883,1038228,1038990,1039256,1040044,1040091,1042009,1042034,1042038,1042132,1042188,1042222,1042317,1042348,1042396,1042411,1042950,1043861,1043996-1043998,1044047,1044084,1044912,1049031,1050602,1051111,1051450,1051812,1052195,1053285,1053289,1054565,1055057,1056072,1056305,1056803,1057519,1058028,1058056,1058488,1059180 Modified: ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059183&r1=1059182&r2=1059183&view=diff ============================================================================== --- ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml (original) +++ ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml Fri Jan 14 21:58:37 2011 @@ -573,10 +573,6 @@ under the License. </simple-method> <simple-method method-name="recreateOrderAdjustments" short-description="Auto create OrderAdjustments"> - <check-permission permission="ORDERMGR" action="_UPDATE"> - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/> - </check-permission> - <check-errors/> <entity-one entity-name="OrderHeader" value-field="order" auto-field-map="true"/> <!-- all existing promo order items are cancelled --> <get-related value-field="order" relation-name="OrderItem" list="orderItems"/> Modified: ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059183&r1=1059182&r2=1059183&view=diff ============================================================================== --- ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml (original) +++ ofbiz/branches/release10.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml Fri Jan 14 21:58:37 2011 @@ -20,12 +20,44 @@ under the License. <simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd"> + + <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter + Only the order owner should be able to cancel an item from Ecommerce + --> + <simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party contact mech permission logic"> + <if-empty field="parameters.partyId"> + <set field="parameters.partyId" from-field="userLogin.partyId"/> + </if-empty> + <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals"> + <set field="hasPermission" type="Boolean" value="true"/> + <field-to-result field="hasPermission"/> + <else> + <set field="primaryPermission" value="ORDERMGR"/> + <set field="altPermission" value="ORDERMGR_ROLE"/> + <set field="mainAction" from-field="parameters.mainAction"/> + <call-simple-method method-name="genericBasePermissionCheck" xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/> + <if-compare field="hasPermission" operator="not-equals" value="true"> + <set field="resourceDescription" from-field="parameters.resourceDescription"/> + <if-empty field="resourceDescription"> + <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation" field="resourceDescription"/> + </if-empty> + <if-compare field="mainAction" value="CREATE" operator="equals"> + <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement" field="failMessage"/> + </if-compare> + <if-compare field="mainAction" value="UPDATE" operator="equals"> + <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/> + </if-compare> + <set field="hasPermission" type="Boolean" value="false"/> + <field-to-result field="failMessage"/> + <else> + <field-to-result field="hasPermission"/> + </else> + </if-compare> + </else> + </if-compare-field> + </simple-method> + <simple-method method-name="createOrderAdjustment" short-description="Create an OrderAdjustment"> - <check-permission permission="ORDERMGR" action="_CREATE"> - <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/> - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"/> - </check-permission> - <check-errors/> <make-value entity-name="OrderAdjustment" value-field="newEntity"/> <set-nonpk-fields map="parameters" value-field="newEntity"/> Modified: ofbiz/branches/release10.04/applications/order/servicedef/services.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release10.04/applications/order/servicedef/services.xml?rev=1059183&r1=1059182&r2=1059183&view=diff ============================================================================== --- ofbiz/branches/release10.04/applications/order/servicedef/services.xml (original) +++ ofbiz/branches/release10.04/applications/order/servicedef/services.xml Fri Jan 14 21:58:37 2011 @@ -181,9 +181,20 @@ under the License. <attribute name="shipmentReceiptId" type="String" mode="IN" optional="true"/> </service> + <service name="orderAdjustmentPermissionCheck" engine="simple" + location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="orderAdjustmentPermissionCheck"> + <description> + Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter. + Only the order owner should be able to cancel an item from Ecommerce. + </description> + <implements service="permissionInterface"/> + <attribute name="partyId" type="String" mode="IN" optional="true"/> + </service> + <service name="createOrderAdjustment" default-entity-name="OrderAdjustment" engine="simple" location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="createOrderAdjustment"> <description>Creates a new order adjustment record</description> + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="CREATE"/> <auto-attributes mode="OUT" include="pk" optional="false"/> <auto-attributes mode="IN" include="nonpk" optional="true"/> <override name="orderAdjustmentTypeId" optional="false"/> @@ -352,6 +363,7 @@ under the License. <service name="recreateOrderAdjustments" engine="simple" auth="true" location="component://order/script/org/ofbiz/order/order/OrderServices.xml" invoke="recreateOrderAdjustments"> <description>Remove all existing order adjustments, recalc them and persist in OrderAdjustment.</description> + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="UPDATE"/> <attribute name="orderId" type="String" mode="IN" optional="false"/> </service> Modified: ofbiz/branches/release10.04/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl URL: http://svn.apache.org/viewvc/ofbiz/branches/release10.04/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=1059183&r1=1059182&r2=1059183&view=diff ============================================================================== --- ofbiz/branches/release10.04/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl (original) +++ ofbiz/branches/release10.04/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl Fri Jan 14 21:58:37 2011 @@ -222,7 +222,7 @@ under the License. ${uiLabelMap.CommonComments} <input class="inputBox" type="text" name="icm_${orderItem.orderItemSeqId}" value="" size="30" maxlength="60"/> </td> - <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl fullPath="true">cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()" class="buttontext">${uiLabelMap.CommonCancel}</a> + <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()" class="buttontext">${uiLabelMap.CommonCancel}</a> <input type="hidden" name="orderItemSeqId" value="${orderItem.orderItemSeqId}"/> </td> </tr> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |