Author: sichen
Date: Wed Oct 18 15:39:16 2006
New Revision: 465401
URL:
http://svn.apache.org/viewvc?view=rev&rev=465401Log:
fix emails of anonymous checkout, and moved up the demo store tag so under all circumstances it is checked
Modified:
incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml
Modified: incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
URL:
http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=465401&r1=465400&r2=465401==============================================================================
--- incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (original)
+++ incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh Wed Oct 18 15:39:16 2006
@@ -36,10 +36,19 @@
partyId = null;
if (userLogin != null) partyId = userLogin.getString("partyId");
+// can anybody view an anonymous order? this is set in the screen widget and should only be turned on by an email confirmation screen
+allowAnonymousView = context.get("allowAnonymousView");
+
orderHeader = null;
+boolean isDemoStore = true;
if (orderId != null && orderId.length() > 0) {
orderHeader = delegator.findByPrimaryKey("OrderHeader", UtilMisc.toMap("orderId", orderId));
- if (orderHeader != null) {
+ productStore = orderHeader.getRelatedOneCache("ProductStore");
+ if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore"));
+
+ // check OrderRole to make sure the user can view this order. This check must be done for any order which is not anonymously placed and
+ // any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking
+ if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) {
orderRole = delegator.findByPrimaryKey("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER"));
if (userLogin == null || orderRole == null) {
context.remove("orderHeader");
@@ -93,10 +102,6 @@
webSiteId = CatalogWorker.getWebSiteId(request);
}
- productStore = orderHeader.getRelatedOne("ProductStore");
- boolean isDemoStore = true;
- if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore"));
-
payToPartyId = productStore.getString("payToPartyId");
paymentAddress = PaymentWorker.getPaymentAddress(delegator, payToPartyId);
if (paymentAddress != null) context.put("paymentAddress", paymentAddress);
Modified: incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml
URL:
http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml?view=diff&rev=465401&r1=465400&r2=465401==============================================================================
--- incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml (original)
+++ incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml Wed Oct 18 15:39:16 2006
@@ -78,6 +78,7 @@
<actions>
<set field="title" value="Order Confirmation Notice"/>
<set field="baseEcommerceSecureUrl" value="${baseSecureUrl}/ecommerce/control/"/>
+ <set field="allowAnonymousView" value="Y"/> <!-- this field will instruction orderstatus.bsh to allow an anonymous order to be viewed by anybody, so the email confirmation screen will work -->
<script location="component://ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh"/>
</actions>
<widgets>
Locked
