You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mo...@apache.org on 2009/05/26 13:23:30 UTC
svn commit: r778654 -
/ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl
Author: mor
Date: Tue May 26 11:23:30 2009
New Revision: 778654
URL: http://svn.apache.org/viewvc?rev=778654&view=rev
Log:
Applied fix from trunk for revision: 778653
Securing URLs in FTL for adding, updating and deleting adjustments. Patch from Pranay Pandey, part of OFBIZ-2514 (https://issues.apache.org/jira/browse/OFBIZ-2514)
Modified:
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl
Modified: ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl
URL: http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl?rev=778654&r1=778653&r2=778654&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl (original)
+++ ofbiz/branches/release09.04/applications/order/webapp/ordermgr/order/editorderitems.ftl Tue May 26 11:23:30 2009
@@ -274,7 +274,9 @@
<#assign adjustmentAmount = Static["org.ofbiz.order.order.OrderReadHelper"].calcOrderAdjustment(orderHeaderAdjustment, orderSubTotal)>
<#assign orderAdjustmentId = orderHeaderAdjustment.get("orderAdjustmentId")>
<#if adjustmentAmount != 0>
- <form name="updateOrderAdjustmentForm${orderAdjustmentId}" method="post" action="<@o...@ofbizUrl>">
+ <form name="updateOrderAdjustmentForm${orderAdjustmentId}" method="post" action="<@o...@ofbizUrl>">
+ <input type="hidden" name="orderAdjustmentId" value="${orderAdjustmentId?if_exists}"/>
+ <input type="hidden" name="orderId" value="${orderId?if_exists}"/>
<table class="basic-table" cellspacing="0">
<tr>
<td class="align-text" width="55%">
@@ -290,7 +292,8 @@
<td nowrap="nowrap" width="15%">
<#if (allowPriceChange)>
<input type="text" name="amount" size="6" value="<@ofbizAmount amount=adjustmentAmount/>"/>
- <input class="smallSubmit" type="submit" value="${uiLabelMap.CommonUpdate}"/><a href="<@o...@ofbizUrl>" class="buttontext">${uiLabelMap.CommonDelete}</a>
+ <input class="smallSubmit" type="submit" value="${uiLabelMap.CommonUpdate}"/>
+ <a href="javascript:document.deleteOrderAdjustment${orderAdjustmentId}.submit();" class="buttontext">${uiLabelMap.CommonDelete}</a>
<#else>
<@ofbizAmount amount=adjustmentAmount/>
</#if>
@@ -298,13 +301,18 @@
</tr>
</table>
</form>
+ <form name="deleteOrderAdjustment${orderAdjustmentId}" method="post" action="<@o...@ofbizUrl>">
+ <input type="hidden" name="orderAdjustmentId" value="${orderAdjustmentId?if_exists}"/>
+ <input type="hidden" name="orderId" value="${orderId?if_exists}"/>
+ </form>
</#if>
</#list>
<#-- add new adjustment -->
<#if (security.hasEntityPermission("ORDERMGR", "_UPDATE", session) || security.hasRolePermission("ORDERMGR", "_UPDATE", "", "", session)) && orderHeader.statusId != "ORDER_COMPLETED" && orderHeader.statusId != "ORDER_CANCELLED" && orderHeader.statusId != "ORDER_REJECTED">
- <form name="addAdjustmentForm" method="post" action="<@o...@ofbizUrl>">
+ <form name="addAdjustmentForm" method="post" action="<@o...@ofbizUrl>">
<input type="hidden" name="comments" value="Added manually by [${userLogin.userLoginId}]"/>
+ <input type="hidden" name="orderId" value="${orderId?if_exists}"/>
<table class="basic-table" cellspacing="0">
<tr><td colspan="3"><hr/></td></tr>
<tr>