Re: Unable to send confirmation email from the Order manager

[Si Chen]

Nick Olson wrote:
The ordermgr/control/confirmationmailedit page generates an email with
this in the body:
<p>NOTE: This is a DEMO store-front.  Orders placed here will NOT be
billed, and will NOT be fulfilled.</p>

<div class="head1">Order not found with ID [WS10000], or not allowed to
view.</div>

The orderstatus.bsh script will only display the correct page if you are
logged in as the same party that made the order. I was able to fix this
by checking security.hasEntityPermission("ORDERMGR", "_VIEW", session),
but is this the way it should be checking for the view permissions?

-Nick
  
------------------------------------------------------------------------

Index: 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
===================================================================
--- 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh   
    (revision 510737)
+++ 
applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh   
    (working copy)
@@ -47,10 +47,13 @@
     orderHeader = delegator.findByPrimaryKey("OrderHeader", 
UtilMisc.toMap("orderId", orderId));
     productStore = orderHeader.getRelatedOneCache("ProductStore");
     if (productStore != null) isDemoStore = 
!"N".equals(productStore.getString("isDemoStore"));
-    
+
     // check OrderRole to make sure the user can view this order.  This check 
must be done for any order which is not anonymously placed and
     // any anonymous order when the allowAnonymousView security flag (see 
above) is not set to Y, to prevent peeking
-    if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || 
("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) {
+	// Also, check to see if user has view permissons to view the order    
+    hasPermissions =  security.hasEntityPermission("ORDERMGR", "_VIEW", session);
+    
+    if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView))) && !hasPermissions) {
         orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole", UtilMisc.toMap("orderId", orderId, 
"partyId", partyId, "roleTypeId", "PLACING_CUSTOMER")));
         
         if (userLogin == null || orderRole == null) {
  
Can you create a JIRA issue and a patch?  I believe some of the recent 
security fixes may have broken this.