Author: sichen
Date: Wed Oct 18 15:39:16 2006
New Revision: 465401

URL: http://svn.apache.org/viewvc?view=rev&rev=465401
Log:
fix emails of anonymous checkout, and moved up the demo store tag so under all 
circumstances it is checked

Modified:
    
incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
    incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml

Modified: 
incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
URL: 
http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=465401&r1=465400&r2=465401
==============================================================================
--- 
incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
 (original)
+++ 
incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
 Wed Oct 18 15:39:16 2006
@@ -36,10 +36,19 @@
 partyId = null;
 if (userLogin != null) partyId = userLogin.getString("partyId");
 
+// can anybody view an anonymous order?  this is set in the screen widget and 
should only be turned on by an email confirmation screen 
+allowAnonymousView = context.get("allowAnonymousView");
+
 orderHeader = null;
+boolean isDemoStore = true;
 if (orderId != null && orderId.length() > 0) {
     orderHeader = delegator.findByPrimaryKey("OrderHeader", 
UtilMisc.toMap("orderId", orderId));
-    if (orderHeader != null) {
+    productStore = orderHeader.getRelatedOneCache("ProductStore");
+    if (productStore != null) isDemoStore = 
!"N".equals(productStore.getString("isDemoStore"));
+    
+    // check OrderRole to make sure the user can view this order.  This check 
must be done for any order which is not anonymously placed and
+    // any anonymous order when the allowAnonymousView security flag (see 
above) is not set to Y, to prevent peeking
+    if ((orderHeader != null) && 
(!("anonymous".equals(orderHeader.getString("createdBy"))) || 
("anonymous".equals(orderHeader.getString("createdBy")) && 
!"Y".equals(allowAnonymousView)))) {
         orderRole = delegator.findByPrimaryKey("OrderRole", 
UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", 
"PLACING_CUSTOMER"));
         if (userLogin == null || orderRole == null) {
             context.remove("orderHeader");
@@ -93,10 +102,6 @@
         webSiteId = CatalogWorker.getWebSiteId(request);
     }
 
-    productStore = orderHeader.getRelatedOne("ProductStore");
-    boolean isDemoStore = true;
-    if (productStore != null) isDemoStore = 
!"N".equals(productStore.getString("isDemoStore"));
-    
     payToPartyId = productStore.getString("payToPartyId");
     paymentAddress =  PaymentWorker.getPaymentAddress(delegator, 
payToPartyId);    
     if (paymentAddress != null) context.put("paymentAddress", paymentAddress); 
 

Modified: 
incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml
URL: 
http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml?view=diff&rev=465401&r1=465400&r2=465401
==============================================================================
--- incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml 
(original)
+++ incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml 
Wed Oct 18 15:39:16 2006
@@ -78,6 +78,7 @@
             <actions>
                 <set field="title" value="Order Confirmation Notice"/>
                 <set field="baseEcommerceSecureUrl" 
value="${baseSecureUrl}/ecommerce/control/"/>
+                <set field="allowAnonymousView" value="Y"/>  <!-- this field 
will instruction orderstatus.bsh to allow an anonymous order to be viewed by 
anybody, so the email confirmation screen will work -->
                 <script 
location="component://ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh"/>
             </actions>
             <widgets>


Reply via email to