Author: sichen Date: Wed Oct 18 15:39:16 2006 New Revision: 465401 URL: http://svn.apache.org/viewvc?view=rev&rev=465401 Log: fix emails of anonymous checkout, and moved up the demo store tag so under all circumstances it is checked
Modified: incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml Modified: incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh URL: http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=465401&r1=465400&r2=465401 ============================================================================== --- incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh (original) +++ incubator/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh Wed Oct 18 15:39:16 2006 @@ -36,10 +36,19 @@ partyId = null; if (userLogin != null) partyId = userLogin.getString("partyId"); +// can anybody view an anonymous order? this is set in the screen widget and should only be turned on by an email confirmation screen +allowAnonymousView = context.get("allowAnonymousView"); + orderHeader = null; +boolean isDemoStore = true; if (orderId != null && orderId.length() > 0) { orderHeader = delegator.findByPrimaryKey("OrderHeader", UtilMisc.toMap("orderId", orderId)); - if (orderHeader != null) { + productStore = orderHeader.getRelatedOneCache("ProductStore"); + if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore")); + + // check OrderRole to make sure the user can view this order. This check must be done for any order which is not anonymously placed and + // any anonymous order when the allowAnonymousView security flag (see above) is not set to Y, to prevent peeking + if ((orderHeader != null) && (!("anonymous".equals(orderHeader.getString("createdBy"))) || ("anonymous".equals(orderHeader.getString("createdBy")) && !"Y".equals(allowAnonymousView)))) { orderRole = delegator.findByPrimaryKey("OrderRole", UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId", "PLACING_CUSTOMER")); if (userLogin == null || orderRole == null) { context.remove("orderHeader"); @@ -93,10 +102,6 @@ webSiteId = CatalogWorker.getWebSiteId(request); } - productStore = orderHeader.getRelatedOne("ProductStore"); - boolean isDemoStore = true; - if (productStore != null) isDemoStore = !"N".equals(productStore.getString("isDemoStore")); - payToPartyId = productStore.getString("payToPartyId"); paymentAddress = PaymentWorker.getPaymentAddress(delegator, payToPartyId); if (paymentAddress != null) context.put("paymentAddress", paymentAddress); Modified: incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml URL: http://svn.apache.org/viewvc/incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml?view=diff&rev=465401&r1=465400&r2=465401 ============================================================================== --- incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml (original) +++ incubator/ofbiz/trunk/applications/ecommerce/widget/EmailOrderScreens.xml Wed Oct 18 15:39:16 2006 @@ -78,6 +78,7 @@ <actions> <set field="title" value="Order Confirmation Notice"/> <set field="baseEcommerceSecureUrl" value="${baseSecureUrl}/ecommerce/control/"/> + <set field="allowAnonymousView" value="Y"/> <!-- this field will instruction orderstatus.bsh to allow an anonymous order to be viewed by anybody, so the email confirmation screen will work --> <script location="component://ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh"/> </actions> <widgets>