Re: svn commit: r1059185 - in /ofbiz/branches/release09.04: ./ applications/order/script/org/ofbiz/order/order/OrderServices.xml applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml applications/order/servicedef/services.xml

Fri, 14 Jan 2011 14:37:08 -0800 

I mixed 2 commit comments.

In this should read
<<Note also that we had not to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid InsecureFormPostToSecureRequest error. It was not there in R9.04 (has been introduced by Scott at http://svn.apache.org/viewvc?rev=935146&view=rev)>> 

Jacques


Author: jleroux
Date: Fri Jan 14 22:11:07 2011
New Revision: 1059185

URL: http://svn.apache.org/viewvc?rev=1059185&view=rev
Log:
"Applied fix from trunk for revision: 1059180"
------------------------------------------------------------------------
r1059180 | jleroux | 2011-01-14 22:47:23 +0100 (ven., 14 janv. 2011) | 16 lines


A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce" 
(https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075


If I cancel an order item from ecommerce. I get, the below error displayed on 
the page.
The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null

There have been a discussion about it in this thread 
http://markmail.org/message/dfkudyvbksvls333


How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added 
the later to Sascha's patch, else the order manager would be annoyed ;o)

I think this makes sense, because AFAIK there are no other UIs than
https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
and
https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...

to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could 
have missed something, thanks



Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid 
InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call 
with hidden orderItemSeqId parameter.

------------------------------------------------------------------------


Modified:
   ofbiz/branches/release09.04/   (props changed)
   
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
   
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
   ofbiz/branches/release09.04/applications/order/servicedef/services.xml

Propchange: ofbiz/branches/release09.04/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jan 14 22:11:07 2011
@@ -1 +1 @@
-/ofbiz/trunk:765933,766011,766015,766293,766307,766316,766325,766462,766522,766800,767060,767072,767093,767098-767099,767102,767123,767125,767127,767279,767287,767671,767688,767694,767822,767845,768358,768490,768550,768675,768686,768705,768811,768815,768960,769030,769500,770272,770308,770997,771073,771477,772401,772464-772465,773076,773557,773628,773659,773697,774014,774632,774661,774995,775292,775667,776227,776594,776620,776922,777004,777020,777768,777792,777893,777947,778078,778094,778107,778273,778278,778280,778364,778374,778402,778576,778594,778628,779020,779477,779496,779639,779834,779856,779866,779873,780111,780138,780180,780199,780203,780906,780945,781201,781534,781549,781669,781680,781694,782663,783257,783266,783833,783913,783917,785123,785764,785967,786778,787126,787435-787436,787442,787520,788965,788983,788987,789329,789337,789506,789548,796769,799185,800461,800846,801023,802346,804364,805307,806127,806377,806914,808786-808787,808792,809141,810370,810438,810465,8

10

807,810809,810814,810832,810836,810878,810917,811020,811280,811297,811419,811528,811708,811714,811716,811793,811838,811860,811865,811870,812159,812182,812192,812456,812540,812724,813126,813131,813283,813672,813702,814168,814205,814251,814349,814531,814576,814681,814731,815158,815165,815350,815687,815977,816255,816863,818030,818049,818150,818494,818500,818716,818976,819275-819276,819282,819337,821263,821270,822659,823877-823878,823883,823888,823892,824511,825181-825182,826253,827730,828971,829085,829376,829412,829416,829527,830091,830112,830366,830528,830677,830874,830880,831238,831801,832361,832698,832776,832880,832908,833324,833686,833703,834825,835161,835357,835585,836015,881194,881713,882072,882326,882918,883933,884023,884529,884546,884758,885122,885702,887916,888111,888559,888587,889666,890050,890107,890245,891378,891620,896649,899188,899833,900024,900026,900050,900217,900273,901628,907342-907343,910460,912587,915332,916252,916703,916925,917435,922042,923828,927870,9280

3

7,928166,928171,928180,928470,928477,929582,931594-931595,933157,935494,936817,941047,941431,941440,942884,943168,944895,945118,948017,950866,950870,950893,951005,951062,951098,951367,951381,951672,953294,953671,954135,954956,958343,958514,958521,960997,964558,965470,965916,966785,967098,978893,980641-980642,980935,981051,981104,981123,981288,983920,985718,985856,985902,990339,995686,996069,996078-996079,996563,997419-997420,997440,1003434,1003450,1004139,1037567,1040044,1042009,1042034,1042038,1042132,1042188,1042317,1042348,1042411,1043996-1043998,1050602,1056305,1057519,1058488
+/ofbiz/trunk:765933,766011,766015,766293,766307,766316,766325,766462,766522,766800,767060,767072,767093,767098-767099,767102,767123,767125,767127,767279,767287,767671,767688,767694,767822,767845,768358,768490,768550,768675,768686,768705,768811,768815,768960,769030,769500,770272,770308,770997,771073,771477,772401,772464-772465,773076,773557,773628,773659,773697,774014,774632,774661,774995,775292,775667,776227,776594,776620,776922,777004,777020,777768,777792,777893,777947,778078,778094,778107,778273,778278,778280,778364,778374,778402,778576,778594,778628,779020,779477,779496,779639,779834,779856,779866,779873,780111,780138,780180,780199,780203,780906,780945,781201,781534,781549,781669,781680,781694,782663,783257,783266,783833,783913,783917,785123,785764,785967,786778,787126,787435-787436,787442,787520,788965,788983,788987,789329,789337,789506,789548,796769,799185,800461,800846,801023,802346,804364,805307,806127,806377,806914,808786-808787,808792,809141,810370,810438,810465,8

10

807,810809,810814,810832,810836,810878,810917,811020,811280,811297,811419,811528,811708,811714,811716,811793,811838,811860,811865,811870,812159,812182,812192,812456,812540,812724,813126,813131,813283,813672,813702,814168,814205,814251,814349,814531,814576,814681,814731,815158,815165,815350,815687,815977,816255,816863,818030,818049,818150,818494,818500,818716,818976,819275-819276,819282,819337,821263,821270,822659,823877-823878,823883,823888,823892,824511,825181-825182,826253,827730,828971,829085,829376,829412,829416,829527,830091,830112,830366,830528,830677,830874,830880,831238,831801,832361,832698,832776,832880,832908,833324,833686,833703,834825,835161,835357,835585,836015,881194,881713,882072,882326,882918,883933,884023,884529,884546,884758,885122,885702,887916,888111,888559,888587,889666,890050,890107,890245,891378,891620,896649,899188,899833,900024,900026,900050,900217,900273,901628,907342-907343,910460,912587,915332,916252,916703,916925,917435,922042,923828,927870,9280

3

7,928166,928171,928180,928470,928477,929582,931594-931595,933157,935494,936817,941047,941431,941440,942884,943168,944895,945118,948017,950866,950870,950893,951005,951062,951098,951367,951381,951672,953294,953671,954135,954956,958343,958514,958521,960997,964558,965470,965916,966785,967098,978893,980641-980642,980935,981051,981104,981123,981288,983920,985718,985856,985902,990339,995686,996069,996078-996079,996563,997419-997420,997440,1003434,1003450,1004139,1037567,1040044,1042009,1042034,1042038,1042132,1042188,1042317,1042348,1042411,1043996-1043998,1050602,1056305,1057519,1058488,1059180

Modified: 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml

URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059185&r1=1059184&r2=1059185&view=diff

==============================================================================
--- 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
 (original)
+++ 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
 Fri Jan 14 22:11:07 2011
@@ -552,10 +552,6 @@ under the License.
    </simple-method>

    <simple-method method-name="recreateOrderAdjustments" short-description="Auto 
create OrderAdjustments">
-        <check-permission permission="ORDERMGR" action="_UPDATE">
-            <fail-property resource="OrderErrorUiLabels" 
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
-        </check-permission>
-        <check-errors/>
        <entity-one entity-name="OrderHeader" value-field="order" 
auto-field-map="true"/>
        <!-- all existing promo order items are cancelled -->
        <get-related value-field="order" relation-name="OrderItem" 
list="orderItems"/>

Modified: 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml

URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059185&r1=1059184&r2=1059185&view=diff

==============================================================================
--- 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
 (original)
+++ 
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
 Fri Jan 14 22:11:07 2011
@@ -20,12 +20,44 @@ under the License.

<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
        
xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd";>
+
+    <!-- Returns hasPermission=true if userLogin partyId equals partyId 
parameter
+         Only the order owner should be able to cancel an item from Ecommerce
+    -->
+    <simple-method method-name="orderAdjustmentPermissionCheck" 
short-description="Party contact mech permission logic">
+        <if-empty field="parameters.partyId">
+            <set field="parameters.partyId" from-field="userLogin.partyId"/>
+        </if-empty>
+        <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" 
operator="equals">
+            <set field="hasPermission" type="Boolean" value="true"/>
+            <field-to-result field="hasPermission"/>
+            <else>
+                <set field="primaryPermission" value="ORDERMGR"/>
+                <set field="altPermission" value="ORDERMGR_ROLE"/>
+                <set field="mainAction" from-field="parameters.mainAction"/>

+                <call-simple-method method-name="genericBasePermissionCheck" 
xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>

+                <if-compare field="hasPermission" operator="not-equals" 
value="true">
+                    <set field="resourceDescription" 
from-field="parameters.resourceDescription"/>
+                    <if-empty field="resourceDescription">

+                        <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation" 
field="resourceDescription"/>

+                    </if-empty>
+                    <if-compare field="mainAction" value="CREATE" 
operator="equals">

+                        <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement" 
field="failMessage"/>

+                    </if-compare>
+                    <if-compare field="mainAction" value="UPDATE" 
operator="equals">

+                        <property-to-field resource="OrderErrorUiLabels" 
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>

+                    </if-compare>
+                    <set field="hasPermission" type="Boolean" value="false"/>
+                    <field-to-result field="failMessage"/>
+                    <else>
+                        <field-to-result field="hasPermission"/>
+                    </else>
+                </if-compare>
+            </else>
+        </if-compare-field>
+    </simple-method>
+
    <simple-method method-name="createOrderAdjustment" short-description="Create an 
OrderAdjustment">
-        <check-permission permission="ORDERMGR" action="_CREATE">
-            <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
-            <fail-property resource="OrderErrorUiLabels" 
property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
-        </check-permission>
-        <check-errors/>

        <make-value entity-name="OrderAdjustment" value-field="newEntity"/>
        <set-nonpk-fields map="parameters" value-field="newEntity"/>

Modified: ofbiz/branches/release09.04/applications/order/servicedef/services.xml

URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/servicedef/services.xml?rev=1059185&r1=1059184&r2=1059185&view=diff

==============================================================================
--- ofbiz/branches/release09.04/applications/order/servicedef/services.xml 
(original)
+++ ofbiz/branches/release09.04/applications/order/servicedef/services.xml Fri 
Jan 14 22:11:07 2011
@@ -177,9 +177,20 @@ under the License.
        <attribute name="shipmentReceiptId" type="String" mode="IN" 
optional="true"/>
    </service>

+    <service name="orderAdjustmentPermissionCheck" engine="simple"

+            location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" 
invoke="orderAdjustmentPermissionCheck">

+        <description>
+            Performs a party contact mech security check. The userLogin 
partyId must equal the partyId parameter.
+            Only the order owner should be able to cancel an item from 
Ecommerce.
+        </description>
+        <implements service="permissionInterface"/>
+        <attribute name="partyId" type="String" mode="IN" optional="true"/>
+    </service>
+
    <service name="createOrderAdjustment" default-entity-name="OrderAdjustment" 
engine="simple"
            location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" 
invoke="createOrderAdjustment">
        <description>Creates a new order adjustment record</description>
+        <permission-service service-name="orderAdjustmentPermissionCheck" 
main-action="CREATE"/>
        <auto-attributes mode="OUT" include="pk" optional="false"/>
        <auto-attributes mode="IN" include="nonpk" optional="true"/>
        <override name="orderAdjustmentTypeId" optional="false"/>
@@ -347,6 +358,7 @@ under the License.
    <service name="recreateOrderAdjustments" engine="simple" auth="true"
            location="component://order/script/org/ofbiz/order/order/OrderServices.xml" 
invoke="recreateOrderAdjustments">
        <description>Remove all existing order adjustments, recalc them and persist 
in OrderAdjustment.</description>
+        <permission-service service-name="orderAdjustmentPermissionCheck" 
main-action="UPDATE"/>
        <attribute name="orderId" type="String" mode="IN" optional="false"/>
    </service>




















    











					Reply via email to