svn commit: r465401 - in /incubator/ofbiz/trunk/applications/ecommerce: webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh widget/EmailOrderScreens.xml

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r465401 - in /incubator/ofbiz/trunk/applications/ecommerce: webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh widget/EmailOrderScreens.xml

sichen
Author: sichen
Date: Wed Oct 18 15:39:16 2006
New Revision: 465401

URL: http://svn.apache.org/viewvc?view=rev&rev=465401
Log:
fix emails of anonymous checkout, and moved up the demo store tag so under all circumstances it is checked

Modified:
    incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
    incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml

Modified: incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
URL: http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=465401&r1=465400&r2=465401
==============================================================================
--- incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (original)
+++ incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh Wed Oct 18 15:39:16 2006
@@ -36,10 +36,19 @@
 partyId = null;
 if (userLogin != null) partyId = userLogin.getString("partyId");
 
+// can anybody view an anonymous order?  this is set in the screen widget and should only be turned on by an email confirmation screen
+allowAnonymousView = context.get("allowAnonymousView");
+
 orderHeader = null;
+boolean isDemoStore = true;
 if (orderId != null && orderId.length() > 0) {
     orderHeader = delegator.findByPrimaryKey("OrderHeader", UtilMisc.toMap("orderId", orderId));
-    if (orderHeader != null) {
+    productStore = orderHeader.getRelatedOneCache("ProductStore");
+    if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore"));
+    
+    // check OrderRole to make sure the user can view this order.  This check must be done for any order which is not anonymously placed and
+    // any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking
+    if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) {
         orderRole = delegator.findByPrimaryKey("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER"));
         if (userLogin == null || orderRole == null) {
             context.remove("orderHeader");
@@ -93,10 +102,6 @@
         webSiteId = CatalogWorker.getWebSiteId(request);
     }
 
-    productStore = orderHeader.getRelatedOne("ProductStore");
-    boolean isDemoStore = true;
-    if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore"));
-    
     payToPartyId = productStore.getString("payToPartyId");
     paymentAddress =  PaymentWorker.getPaymentAddress(delegator, payToPartyId);    
     if (paymentAddress != null) context.put("paymentAddress", paymentAddress);  

Modified: incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml
URL: http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml?view=diff&rev=465401&r1=465400&r2=465401
==============================================================================
--- incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml (original)
+++ incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml Wed Oct 18 15:39:16 2006
@@ -78,6 +78,7 @@
             <actions>
                 <set field="title" value="Order Confirmation Notice"/>
                 <set field="baseEcommerceSecureUrl" value="${baseSecureUrl}/ecommerce/control/"/>
+                <set field="allowAnonymousView" value="Y"/>  <!-- this field will instruction orderstatus.bsh to allow an anonymous order to be viewed by anybody, so the email confirmation screen will work -->
                 <script location="component://ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh"/>
             </actions>
             <widgets>