Author: jleroux
Date: Fri Jan 14 21:47:23 2011
New Revision: 1059180
URL: http://svn.apache.org/viewvc?rev=1059180&view=rev
Log:
A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce"
(https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075
If I cancel an order item from ecommerce. I get, the below error displayed on
the page.
The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null
There have been a discussion about it in this thread
http://markmail.org/message/dfkudyvbksvls333
How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added
the later to Sascha's patch, else the order manager would be annoyed ;o)
I think this makes sense, because AFAIK there are no other UIs than
https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
and
https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...
to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could
have missed something, thanks
Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid
InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call
with hidden orderItemSeqId parameter.
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
ofbiz/trunk/applications/order/servicedef/services.xml
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
(original)
+++
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
Fri Jan 14 21:47:23 2011
@@ -599,10 +599,6 @@ under the License.
</simple-method>
<simple-method method-name="recreateOrderAdjustments" short-description="Auto
create OrderAdjustments">
- <check-permission permission="ORDERMGR" action="_UPDATE">
- <fail-property resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
- </check-permission>
- <check-errors/>
<entity-one entity-name="OrderHeader" value-field="order"
auto-field-map="true"/>
<!-- all existing promo order items are cancelled -->
<get-related value-field="order" relation-name="OrderItem"
list="orderItems"/>
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
(original)
+++
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
Fri Jan 14 21:47:23 2011
@@ -20,12 +20,44 @@ under the License.
<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd";>
+
+ <!-- Returns hasPermission=true if userLogin partyId equals partyId
parameter
+ Only the order owner should be able to cancel an item from Ecommerce
+ -->
+ <simple-method method-name="orderAdjustmentPermissionCheck"
short-description="Party contact mech permission logic">
+ <if-empty field="parameters.partyId">
+ <set field="parameters.partyId" from-field="userLogin.partyId"/>
+ </if-empty>
+ <if-compare-field to-field="userLogin.partyId" field="parameters.partyId"
operator="equals">
+ <set field="hasPermission" type="Boolean" value="true"/>
+ <field-to-result field="hasPermission"/>
+ <else>
+ <set field="primaryPermission" value="ORDERMGR"/>
+ <set field="altPermission" value="ORDERMGR_ROLE"/>
+ <set field="mainAction" from-field="parameters.mainAction"/>
+ <call-simple-method method-name="genericBasePermissionCheck"
xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
+ <if-compare field="hasPermission" operator="not-equals"
value="true">
+ <set field="resourceDescription"
from-field="parameters.resourceDescription"/>
+ <if-empty field="resourceDescription">
+ <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
field="resourceDescription"/>
+ </if-empty>
+ <if-compare field="mainAction" value="CREATE"
operator="equals">
+ <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"
field="failMessage"/>
+ </if-compare>
+ <if-compare field="mainAction" value="UPDATE"
operator="equals">
+ <property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
+ </if-compare>
+ <set field="hasPermission" type="Boolean" value="false"/>
+ <field-to-result field="failMessage"/>
+ <else>
+ <field-to-result field="hasPermission"/>
+ </else>
+ </if-compare>
+ </else>
+ </if-compare-field>
+ </simple-method>
+
<simple-method method-name="createOrderAdjustment" short-description="Create an
OrderAdjustment">
- <check-permission permission="ORDERMGR" action="_CREATE">
- <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
- <fail-property resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
- </check-permission>
- <check-errors/>
<make-value entity-name="OrderAdjustment" value-field="newEntity"/>
<set-nonpk-fields map="parameters" value-field="newEntity"/>
Modified: ofbiz/trunk/applications/order/servicedef/services.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/servicedef/services.xml (original)
+++ ofbiz/trunk/applications/order/servicedef/services.xml Fri Jan 14 21:47:23
2011
@@ -181,9 +181,20 @@ under the License.
<attribute name="shipmentReceiptId" type="String" mode="IN"
optional="true"/>
</service>
+ <service name="orderAdjustmentPermissionCheck" engine="simple"
+ location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
invoke="orderAdjustmentPermissionCheck">
+ <description>
+ Performs a party contact mech security check. The userLogin
partyId must equal the partyId parameter.
+ Only the order owner should be able to cancel an item from
Ecommerce.
+ </description>
+ <implements service="permissionInterface"/>
+ <attribute name="partyId" type="String" mode="IN" optional="true"/>
+ </service>
+
<service name="createOrderAdjustment" default-entity-name="OrderAdjustment"
engine="simple"
location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
invoke="createOrderAdjustment">
<description>Creates a new order adjustment record</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck"
main-action="CREATE"/>
<auto-attributes mode="OUT" include="pk" optional="false"/>
<auto-attributes mode="IN" include="nonpk" optional="true"/>
<override name="orderAdjustmentTypeId" optional="false"/>
@@ -355,6 +366,7 @@ under the License.
<service name="recreateOrderAdjustments" engine="simple" auth="true"
location="component://order/script/org/ofbiz/order/order/OrderServices.xml"
invoke="recreateOrderAdjustments">
<description>Remove all existing order adjustments, recalc them and persist
in OrderAdjustment.</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck"
main-action="UPDATE"/>
<attribute name="orderId" type="String" mode="IN" optional="false"/>
</service>
Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
(original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
Fri Jan 14 21:47:23 2011
@@ -222,7 +222,7 @@ under the License.
${uiLabelMap.CommonComments}
<input class="inputBox" type="text" name="icm_${orderItem.orderItemSeqId}" value=""
size="30" maxlength="60"/>
</td>
- <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl
fullPath="true">cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()"
class="buttontext">${uiLabelMap.CommonCancel}</a>
+ <td colspan="4"><a
href="javascript:document.addCommonToCartForm.action='<@ofbizUrl>cancelOrderItem</@ofbizUrl>';document.addCommonToCartForm.submit()"
class="buttontext">${uiLabelMap.CommonCancel}</a>
<input type="hidden" name="orderItemSeqId"
value="${orderItem.orderItemSeqId}"/>
</td>
</tr>
