svn commit: r778653 - /ofbiz/trunk/applications/orde
Locked
 
|
Author: mor
Date: Tue May 26 11:21:22 2009 New Revision: 778653 URL: http://svn.apache.org/viewvc?rev=778653&view=rev Log: Securing URLs in FTL for adding, updating and deleting adjustments. Patch from Pranay Pandey, part of OFBIZ-2514 (https://issues.apache.org/jira/browse/OFBIZ-2514) Modified: ofbiz/trunk/applications/order/webapp/ordermgr/order/editorderitems.ftl Modified: ofbiz/trunk/applications/order/webapp/ordermgr/order/editorderitems.ftl URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/order/editorderitems.ftl?rev=778653&r1=778652&r2=778653&view=diff ============================================================================== --- ofbiz/trunk/applications/order/webapp/ordermgr/order/editorderitems.ftl (original) +++ ofbiz/trunk/applications/order/webapp/ordermgr/order/editorderitems.ftl Tue May 26 11:21:22 2009 @@ -274,7 +274,9 @@ <#assign adjustmentAmount = Static["org.ofbiz.order.order.OrderReadHelper"].calcOrderAdjustment(orderHeaderAdjustment, orderSubTotal)> <#assign orderAdjustmentId = orderHeaderAdjustment.get("orderAdjustmentId")> <#if adjustmentAmount != 0> - <form name="updateOrderAdjustmentForm${orderAdjustmentId}" method="post" action="<@ofbizUrl>updateOrderAdjustment?orderAdjustmentId=${orderAdjustmentId?if_exists}&orderId=${orderId?if_exists}</@ofbizUrl>"> + <form name="updateOrderAdjustmentForm${orderAdjustmentId}" method="post" action="<@ofbizUrl>updateOrderAdjustment</@ofbizUrl>"> + <input type="hidden" name="orderAdjustmentId" value="${orderAdjustmentId?if_exists}"/> + <input type="hidden" name="orderId" value="${orderId?if_exists}"/> <table class="basic-table" cellspacing="0"> <tr> <td class="align-text" width="55%"> @@ -290,7 +292,8 @@ <td nowrap="nowrap" width="15%"> <#if (allowPriceChange)> <input type="text" name="amount" size="6" value="<@ofbizAmount amount=adjustmentAmount/>"/> - <input class="smallSubmit" type="submit" value="${uiLabelMap.CommonUpdate}"/><a href="<@ofbizUrl>deleteOrderAdjustment?orderAdjustmentId=${orderAdjustmentId?if_exists}&orderId=${orderId?if_exists}</@ofbizUrl>" class="buttontext">${uiLabelMap.CommonDelete}</a> + <input class="smallSubmit" type="submit" value="${uiLabelMap.CommonUpdate}"/> + <a href="javascript:document.deleteOrderAdjustment${orderAdjustmentId}.submit();" class="buttontext">${uiLabelMap.CommonDelete}</a> <#else> <@ofbizAmount amount=adjustmentAmount/> </#if> @@ -298,13 +301,18 @@ </tr> </table> </form> + <form name="deleteOrderAdjustment${orderAdjustmentId}" method="post" action="<@ofbizUrl>deleteOrderAdjustment</@ofbizUrl>"> + <input type="hidden" name="orderAdjustmentId" value="${orderAdjustmentId?if_exists}"/> + <input type="hidden" name="orderId" value="${orderId?if_exists}"/> + </form> </#if> </#list> <#-- add new adjustment --> <#if (security.hasEntityPermission("ORDERMGR", "_UPDATE", session) || security.hasRolePermission("ORDERMGR", "_UPDATE", "", "", session)) && orderHeader.statusId != "ORDER_COMPLETED" && orderHeader.statusId != "ORDER_CANCELLED" && orderHeader.statusId != "ORDER_REJECTED"> - <form name="addAdjustmentForm" method="post" action="<@ofbizUrl>createOrderAdjustment?${paramString}</@ofbizUrl>"> + <form name="addAdjustmentForm" method="post" action="<@ofbizUrl>createOrderAdjustment</@ofbizUrl>"> <input type="hidden" name="comments" value="Added manually by [${userLogin.userLoginId}]"/> + <input type="hidden" name="orderId" value="${orderId?if_exists}"/> <table class="basic-table" cellspacing="0"> <tr><td colspan="3"><hr/></td></tr> <tr> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |