Author: jacopoc
Date: Tue Jan 30 21:11:24 2007
New Revision: 501733
URL:
http://svn.apache.org/viewvc?view=rev&rev=501733Log:
Quick fix for issue OFBIZ-672: if you login to the ecommerce area of ofbiz and view an order using the URL you can view any order made by other users by changing the order number in the URL.
I've not tested my fix well also with orders created by anonymous users, so any review and test is appreciated: however I think that for now it's better to have it committed.
Modified:
ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
Modified: ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=501733&r1=501732&r2=501733==============================================================================
--- ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (original)
+++ ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh Tue Jan 30 21:11:24 2007
@@ -51,7 +51,7 @@
// check OrderRole to make sure the user can view this order. This check must be done for any order which is not anonymously placed and
// any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking
if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) {
- orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", UtilMisc.toMap("orderId", orderId, "roleTypeId", "PLACING_CUSTOMER")));
+ orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER")));
if (userLogin == null || orderRole == null) {
context.remove("orderHeader");
Locked
