I mixed 2 commit comments.
In this should read
<<Note also that we had not to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid
InsecureFormPostToSecureRequest error. It was not there in R9.04 (has been introduced by Scott at
http://svn.apache.org/viewvc?rev=935146&view=rev)>>
Jacques
Author: jleroux
Date: Fri Jan 14 22:11:07 2011
New Revision: 1059185
URL: http://svn.apache.org/viewvc?rev=1059185&view=rev
Log:
"Applied fix from trunk for revision: 1059180"
------------------------------------------------------------------------
r1059180 | jleroux | 2011-01-14 22:47:23 +0100 (ven., 14 janv. 2011) | 16 lines
A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce"
(https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075
If I cancel an order item from ecommerce. I get, the below error displayed on
the page.
The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null
There have been a discussion about it in this thread
http://markmail.org/message/dfkudyvbksvls333
How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added
the later to Sascha's patch, else the order manager would be annoyed ;o)
I think this makes sense, because AFAIK there are no other UIs than
https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
and
https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...
to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could
have missed something, thanks
Note also that we had to remove fullPath="true" in <@ofbizUrl>cancelOrderItem</@ofbizUrl> (orderitems.ftl), to avoid
InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call
with hidden orderItemSeqId parameter.
------------------------------------------------------------------------
Modified:
ofbiz/branches/release09.04/ (props changed)
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
ofbiz/branches/release09.04/applications/order/servicedef/services.xml
Propchange: ofbiz/branches/release09.04/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jan 14 22:11:07 2011
@@ -1 +1 @@
-/ofbiz/trunk:765933,766011,766015,766293,766307,766316,766325,766462,766522,766800,767060,767072,767093,767098-767099,767102,767123,767125,767127,767279,767287,767671,767688,767694,767822,767845,768358,768490,768550,768675,768686,768705,768811,768815,768960,769030,769500,770272,770308,770997,771073,771477,772401,772464-772465,773076,773557,773628,773659,773697,774014,774632,774661,774995,775292,775667,776227,776594,776620,776922,777004,777020,777768,777792,777893,777947,778078,778094,778107,778273,778278,778280,778364,778374,778402,778576,778594,778628,779020,779477,779496,779639,779834,779856,779866,779873,780111,780138,780180,780199,780203,780906,780945,781201,781534,781549,781669,781680,781694,782663,783257,783266,783833,783913,783917,785123,785764,785967,786778,787126,787435-787436,787442,787520,788965,788983,788987,789329,789337,789506,789548,796769,799185,800461,800846,801023,802346,804364,805307,806127,806377,806914,808786-808787,808792,809141,810370,810438,810465,8
10
807,810809,810814,810832,810836,810878,810917,811020,811280,811297,811419,811528,811708,811714,811716,811793,811838,811860,811865,811870,812159,812182,812192,812456,812540,812724,813126,813131,813283,813672,813702,814168,814205,814251,814349,814531,814576,814681,814731,815158,815165,815350,815687,815977,816255,816863,818030,818049,818150,818494,818500,818716,818976,819275-819276,819282,819337,821263,821270,822659,823877-823878,823883,823888,823892,824511,825181-825182,826253,827730,828971,829085,829376,829412,829416,829527,830091,830112,830366,830528,830677,830874,830880,831238,831801,832361,832698,832776,832880,832908,833324,833686,833703,834825,835161,835357,835585,836015,881194,881713,882072,882326,882918,883933,884023,884529,884546,884758,885122,885702,887916,888111,888559,888587,889666,890050,890107,890245,891378,891620,896649,899188,899833,900024,900026,900050,900217,900273,901628,907342-907343,910460,912587,915332,916252,916703,916925,917435,922042,923828,927870,9280
3
7,928166,928171,928180,928470,928477,929582,931594-931595,933157,935494,936817,941047,941431,941440,942884,943168,944895,945118,948017,950866,950870,950893,951005,951062,951098,951367,951381,951672,953294,953671,954135,954956,958343,958514,958521,960997,964558,965470,965916,966785,967098,978893,980641-980642,980935,981051,981104,981123,981288,983920,985718,985856,985902,990339,995686,996069,996078-996079,996563,997419-997420,997440,1003434,1003450,1004139,1037567,1040044,1042009,1042034,1042038,1042132,1042188,1042317,1042348,1042411,1043996-1043998,1050602,1056305,1057519,1058488
+/ofbiz/trunk:765933,766011,766015,766293,766307,766316,766325,766462,766522,766800,767060,767072,767093,767098-767099,767102,767123,767125,767127,767279,767287,767671,767688,767694,767822,767845,768358,768490,768550,768675,768686,768705,768811,768815,768960,769030,769500,770272,770308,770997,771073,771477,772401,772464-772465,773076,773557,773628,773659,773697,774014,774632,774661,774995,775292,775667,776227,776594,776620,776922,777004,777020,777768,777792,777893,777947,778078,778094,778107,778273,778278,778280,778364,778374,778402,778576,778594,778628,779020,779477,779496,779639,779834,779856,779866,779873,780111,780138,780180,780199,780203,780906,780945,781201,781534,781549,781669,781680,781694,782663,783257,783266,783833,783913,783917,785123,785764,785967,786778,787126,787435-787436,787442,787520,788965,788983,788987,789329,789337,789506,789548,796769,799185,800461,800846,801023,802346,804364,805307,806127,806377,806914,808786-808787,808792,809141,810370,810438,810465,8
10
807,810809,810814,810832,810836,810878,810917,811020,811280,811297,811419,811528,811708,811714,811716,811793,811838,811860,811865,811870,812159,812182,812192,812456,812540,812724,813126,813131,813283,813672,813702,814168,814205,814251,814349,814531,814576,814681,814731,815158,815165,815350,815687,815977,816255,816863,818030,818049,818150,818494,818500,818716,818976,819275-819276,819282,819337,821263,821270,822659,823877-823878,823883,823888,823892,824511,825181-825182,826253,827730,828971,829085,829376,829412,829416,829527,830091,830112,830366,830528,830677,830874,830880,831238,831801,832361,832698,832776,832880,832908,833324,833686,833703,834825,835161,835357,835585,836015,881194,881713,882072,882326,882918,883933,884023,884529,884546,884758,885122,885702,887916,888111,888559,888587,889666,890050,890107,890245,891378,891620,896649,899188,899833,900024,900026,900050,900217,900273,901628,907342-907343,910460,912587,915332,916252,916703,916925,917435,922042,923828,927870,9280
3
7,928166,928171,928180,928470,928477,929582,931594-931595,933157,935494,936817,941047,941431,941440,942884,943168,944895,945118,948017,950866,950870,950893,951005,951062,951098,951367,951381,951672,953294,953671,954135,954956,958343,958514,958521,960997,964558,965470,965916,966785,967098,978893,980641-980642,980935,981051,981104,981123,981288,983920,985718,985856,985902,990339,995686,996069,996078-996079,996563,997419-997420,997440,1003434,1003450,1004139,1037567,1040044,1042009,1042034,1042038,1042132,1042188,1042317,1042348,1042411,1043996-1043998,1050602,1056305,1057519,1058488,1059180
Modified:
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
==============================================================================
---
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
(original)
+++
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderServices.xml
Fri Jan 14 22:11:07 2011
@@ -552,10 +552,6 @@ under the License.
</simple-method>
<simple-method method-name="recreateOrderAdjustments" short-description="Auto
create OrderAdjustments">
- <check-permission permission="ORDERMGR" action="_UPDATE">
- <fail-property resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
- </check-permission>
- <check-errors/>
<entity-one entity-name="OrderHeader" value-field="order"
auto-field-map="true"/>
<!-- all existing promo order items are cancelled -->
<get-related value-field="order" relation-name="OrderItem"
list="orderItems"/>
Modified:
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
==============================================================================
---
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
(original)
+++
ofbiz/branches/release09.04/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
Fri Jan 14 22:11:07 2011
@@ -20,12 +20,44 @@ under the License.
<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd">
+
+ <!-- Returns hasPermission=true if userLogin partyId equals partyId
parameter
+ Only the order owner should be able to cancel an item from Ecommerce
+ -->
+ <simple-method method-name="orderAdjustmentPermissionCheck"
short-description="Party contact mech permission logic">
+ <if-empty field="parameters.partyId">
+ <set field="parameters.partyId" from-field="userLogin.partyId"/>
+ </if-empty>
+ <if-compare-field to-field="userLogin.partyId" field="parameters.partyId"
operator="equals">
+ <set field="hasPermission" type="Boolean" value="true"/>
+ <field-to-result field="hasPermission"/>
+ <else>
+ <set field="primaryPermission" value="ORDERMGR"/>
+ <set field="altPermission" value="ORDERMGR_ROLE"/>
+ <set field="mainAction" from-field="parameters.mainAction"/>
+ <call-simple-method method-name="genericBasePermissionCheck"
xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
+ <if-compare field="hasPermission" operator="not-equals"
value="true">
+ <set field="resourceDescription"
from-field="parameters.resourceDescription"/>
+ <if-empty field="resourceDescription">
+ <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
field="resourceDescription"/>
+ </if-empty>
+ <if-compare field="mainAction" value="CREATE"
operator="equals">
+ <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"
field="failMessage"/>
+ </if-compare>
+ <if-compare field="mainAction" value="UPDATE"
operator="equals">
+ <property-to-field resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
+ </if-compare>
+ <set field="hasPermission" type="Boolean" value="false"/>
+ <field-to-result field="failMessage"/>
+ <else>
+ <field-to-result field="hasPermission"/>
+ </else>
+ </if-compare>
+ </else>
+ </if-compare-field>
+ </simple-method>
+
<simple-method method-name="createOrderAdjustment" short-description="Create an
OrderAdjustment">
- <check-permission permission="ORDERMGR" action="_CREATE">
- <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
- <fail-property resource="OrderErrorUiLabels"
property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
- </check-permission>
- <check-errors/>
<make-value entity-name="OrderAdjustment" value-field="newEntity"/>
<set-nonpk-fields map="parameters" value-field="newEntity"/>
Modified: ofbiz/branches/release09.04/applications/order/servicedef/services.xml
URL:
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/servicedef/services.xml?rev=1059185&r1=1059184&r2=1059185&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/order/servicedef/services.xml
(original)
+++ ofbiz/branches/release09.04/applications/order/servicedef/services.xml Fri
Jan 14 22:11:07 2011
@@ -177,9 +177,20 @@ under the License.
<attribute name="shipmentReceiptId" type="String" mode="IN"
optional="true"/>
</service>
+ <service name="orderAdjustmentPermissionCheck" engine="simple"
+ location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
invoke="orderAdjustmentPermissionCheck">
+ <description>
+ Performs a party contact mech security check. The userLogin
partyId must equal the partyId parameter.
+ Only the order owner should be able to cancel an item from
Ecommerce.
+ </description>
+ <implements service="permissionInterface"/>
+ <attribute name="partyId" type="String" mode="IN" optional="true"/>
+ </service>
+
<service name="createOrderAdjustment" default-entity-name="OrderAdjustment"
engine="simple"
location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
invoke="createOrderAdjustment">
<description>Creates a new order adjustment record</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck"
main-action="CREATE"/>
<auto-attributes mode="OUT" include="pk" optional="false"/>
<auto-attributes mode="IN" include="nonpk" optional="true"/>
<override name="orderAdjustmentTypeId" optional="false"/>
@@ -347,6 +358,7 @@ under the License.
<service name="recreateOrderAdjustments" engine="simple" auth="true"
location="component://order/script/org/ofbiz/order/order/OrderServices.xml"
invoke="recreateOrderAdjustments">
<description>Remove all existing order adjustments, recalc them and persist
in OrderAdjustment.</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck"
main-action="UPDATE"/>
<attribute name="orderId" type="String" mode="IN" optional="false"/>
</service>