Unable to send confirmation email from the Order manager

Thu, 22 Feb 2007 18:41:23 -0800 

The ordermgr/control/confirmationmailedit page generates an email with
this in the body:

<p>NOTE: This is a DEMO store-front.  Orders placed here will NOT be
billed, and will NOT be fulfilled.</p>

<div class="head1">Order not found with ID [WS10000], or not allowed to
view.</div>

The orderstatus.bsh script will only display the correct page if you are
logged in as the same party that made the order. I was able to fix this
by checking security.hasEntityPermission("ORDERMGR", "_VIEW", session),
but is this the way it should be checking for the view permissions?

-Nick

Index: 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
===================================================================
--- 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh   
    (revision 510737)
+++ 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh   
    (working copy)
@@ -47,10 +47,13 @@
     orderHeader = delegator.findByPrimaryKey("OrderHeader", 
UtilMisc.toMap("orderId", orderId));
     productStore = orderHeader.getRelatedOneCache("ProductStore");
     if (productStore != null) isDemoStore = 
!"N".equals(productStore.getString("isDemoStore"));
-    
+
     // check OrderRole to make sure the user can view this order.  This check 
must be done for any order which is not anonymously placed and
     // any anonymous order when the allowAnonymousView security flag (see 
above) is not set to Y, to prevent peeking
-    if ((orderHeader != null) && 
(!("anonymous".equals(orderHeader.getString("createdBy"))) || 
("anonymous".equals(orderHeader.getString("createdBy")) && 
!"Y".equals(allowAnonymousView)))) {
+       // Also, check to see if user has view permissons to view the order    
+    hasPermissions =  security.hasEntityPermission("ORDERMGR", "_VIEW", 
session);
+    
+    if ((orderHeader != null) && 
(!("anonymous".equals(orderHeader.getString("createdBy"))) || 
("anonymous".equals(orderHeader.getString("createdBy")) && 
!"Y".equals(allowAnonymousView))) && !hasPermissions) {
         orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", 
UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", 
"PLACING_CUSTOMER")));
         
         if (userLogin == null || orderRole == null) {

Reply via email to