You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2011/01/14 22:47:23 UTC
svn commit: r1059180 - in /ofbiz/trunk:
applications/order/script/org/ofbiz/order/order/
applications/order/servicedef/
specialpurpose/ecommerce/webapp/ecommerce/order/
Author: jleroux
Date: Fri Jan 14 21:47:23 2011
New Revision: 1059180
URL: http://svn.apache.org/viewvc?rev=1059180&view=rev
Log:
A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce" (https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075
If I cancel an order item from ecommerce. I get, the below error displayed on the page.
The Following Errors Occurred:
Unable to cancel order line : WSCO11640 / 00001 / null
There have been a discussion about it in this thread http://markmail.org/message/dfkudyvbksvls333
How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added the later to Sascha's patch, else the order manager would be annoyed ;o)
I think this makes sense, because AFAIK there are no other UIs than
https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
and
https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...
to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could have missed something, thanks
Note also that we had to remove fullPath="true" in <@o...@ofbizUrl> (orderitems.ftl), to avoid InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call with hidden orderItemSeqId parameter.
Modified:
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
ofbiz/trunk/applications/order/servicedef/services.xml
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml Fri Jan 14 21:47:23 2011
@@ -599,10 +599,6 @@ under the License.
</simple-method>
<simple-method method-name="recreateOrderAdjustments" short-description="Auto create OrderAdjustments">
- <check-permission permission="ORDERMGR" action="_UPDATE">
- <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
- </check-permission>
- <check-errors/>
<entity-one entity-name="OrderHeader" value-field="order" auto-field-map="true"/>
<!-- all existing promo order items are cancelled -->
<get-related value-field="order" relation-name="OrderItem" list="orderItems"/>
Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml (original)
+++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml Fri Jan 14 21:47:23 2011
@@ -20,12 +20,44 @@ under the License.
<simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd">
+
+ <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter
+ Only the order owner should be able to cancel an item from Ecommerce
+ -->
+ <simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party contact mech permission logic">
+ <if-empty field="parameters.partyId">
+ <set field="parameters.partyId" from-field="userLogin.partyId"/>
+ </if-empty>
+ <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals">
+ <set field="hasPermission" type="Boolean" value="true"/>
+ <field-to-result field="hasPermission"/>
+ <else>
+ <set field="primaryPermission" value="ORDERMGR"/>
+ <set field="altPermission" value="ORDERMGR_ROLE"/>
+ <set field="mainAction" from-field="parameters.mainAction"/>
+ <call-simple-method method-name="genericBasePermissionCheck" xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
+ <if-compare field="hasPermission" operator="not-equals" value="true">
+ <set field="resourceDescription" from-field="parameters.resourceDescription"/>
+ <if-empty field="resourceDescription">
+ <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation" field="resourceDescription"/>
+ </if-empty>
+ <if-compare field="mainAction" value="CREATE" operator="equals">
+ <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement" field="failMessage"/>
+ </if-compare>
+ <if-compare field="mainAction" value="UPDATE" operator="equals">
+ <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
+ </if-compare>
+ <set field="hasPermission" type="Boolean" value="false"/>
+ <field-to-result field="failMessage"/>
+ <else>
+ <field-to-result field="hasPermission"/>
+ </else>
+ </if-compare>
+ </else>
+ </if-compare-field>
+ </simple-method>
+
<simple-method method-name="createOrderAdjustment" short-description="Create an OrderAdjustment">
- <check-permission permission="ORDERMGR" action="_CREATE">
- <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
- <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
- </check-permission>
- <check-errors/>
<make-value entity-name="OrderAdjustment" value-field="newEntity"/>
<set-nonpk-fields map="parameters" value-field="newEntity"/>
Modified: ofbiz/trunk/applications/order/servicedef/services.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/servicedef/services.xml (original)
+++ ofbiz/trunk/applications/order/servicedef/services.xml Fri Jan 14 21:47:23 2011
@@ -181,9 +181,20 @@ under the License.
<attribute name="shipmentReceiptId" type="String" mode="IN" optional="true"/>
</service>
+ <service name="orderAdjustmentPermissionCheck" engine="simple"
+ location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="orderAdjustmentPermissionCheck">
+ <description>
+ Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter.
+ Only the order owner should be able to cancel an item from Ecommerce.
+ </description>
+ <implements service="permissionInterface"/>
+ <attribute name="partyId" type="String" mode="IN" optional="true"/>
+ </service>
+
<service name="createOrderAdjustment" default-entity-name="OrderAdjustment" engine="simple"
location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="createOrderAdjustment">
<description>Creates a new order adjustment record</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck" main-action="CREATE"/>
<auto-attributes mode="OUT" include="pk" optional="false"/>
<auto-attributes mode="IN" include="nonpk" optional="true"/>
<override name="orderAdjustmentTypeId" optional="false"/>
@@ -355,6 +366,7 @@ under the License.
<service name="recreateOrderAdjustments" engine="simple" auth="true"
location="component://order/script/org/ofbiz/order/order/OrderServices.xml" invoke="recreateOrderAdjustments">
<description>Remove all existing order adjustments, recalc them and persist in OrderAdjustment.</description>
+ <permission-service service-name="orderAdjustmentPermissionCheck" main-action="UPDATE"/>
<attribute name="orderId" type="String" mode="IN" optional="false"/>
</service>
Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=1059180&r1=1059179&r2=1059180&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl (original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl Fri Jan 14 21:47:23 2011
@@ -222,7 +222,7 @@ under the License.
${uiLabelMap.CommonComments}
<input class="inputBox" type="text" name="icm_${orderItem.orderItemSeqId}" value="" size="30" maxlength="60"/>
</td>
- <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl fullPath="true">cancelOrderItem</...@ofbizUrl>';document.addCommonToCartForm.submit()" class="buttontext">${uiLabelMap.CommonCancel}</a>
+ <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@o...@ofbizUrl>';document.addCommonToCartForm.submit()" class="buttontext">${uiLabelMap.CommonCancel}</a>
<input type="hidden" name="orderItemSeqId" value="${orderItem.orderItemSeqId}"/>
</td>
</tr>
Re: svn commit: r1059180 - in /ofbiz/trunk: applications/order/script/org/ofbiz/order/order/ applications/order/servicedef/ specialpurpose/ecommerce/webapp/ecommerce/order/
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Scott,
I see now that you introduced the fullPath="true" stuff at http://svn.apache.org/viewvc?rev=935146&view=rev. Is it really needed
there?
Thanks
Jacques
From: <jl...@apache.org>
> Author: jleroux
> Date: Fri Jan 14 21:47:23 2011
> New Revision: 1059180
>
> URL: http://svn.apache.org/viewvc?rev=1059180&view=rev
> Log:
> A modified patch from Sascha based on an intial patch from Abdullah Shaikh "permission error on cancel order item from ecommerce"
> (https://issues.apache.org/jira/browse/OFBIZ-3075) - OFBIZ-3075
>
> If I cancel an order item from ecommerce. I get, the below error displayed on the page.
> The Following Errors Occurred:
> Unable to cancel order line : WSCO11640 / 00001 / null
>
> There have been a discussion about it in this thread http://markmail.org/message/dfkudyvbksvls333
>
> How it works: you can cancel an order item if you create it or have the ORDERMGR_CREATE or ORDERMGR_UPDATE permissions (I added
> the later to Sascha's patch, else the order manager would be annoyed ;o)
> I think this makes sense, because AFAIK there are no other UIs than
> https://demo-trunk.ofbiz.apache.org/ordermgr/control/editOrderItems?orderId=...
> and
> https://demo-trunk.ofbiz.apache.org:8443/ecommerce/control/orderstatus?orderId=...
> to cancel an order item. So nobody should be able to bypass his/her permissions... Of course, let me know if you think I could
> have missed something, thanks
>
> Note also that we had to remove fullPath="true" in <@o...@ofbizUrl> (orderitems.ftl), to avoid
> InsecureFormPostToSecureRequest error. I don't think it raises any security issues though, has it's done from a javascript call
> with hidden orderItemSeqId parameter.
>
> Modified:
> ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
> ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
> ofbiz/trunk/applications/order/servicedef/services.xml
> ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
>
> Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml (original)
> +++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderServices.xml Fri Jan 14 21:47:23 2011
> @@ -599,10 +599,6 @@ under the License.
> </simple-method>
>
> <simple-method method-name="recreateOrderAdjustments" short-description="Auto create OrderAdjustments">
> - <check-permission permission="ORDERMGR" action="_UPDATE">
> - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunAutoCreateOrderAdjustments"/>
> - </check-permission>
> - <check-errors/>
> <entity-one entity-name="OrderHeader" value-field="order" auto-field-map="true"/>
> <!-- all existing promo order items are cancelled -->
> <get-related value-field="order" relation-name="OrderItem" list="orderItems"/>
>
> Modified: ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml (original)
> +++ ofbiz/trunk/applications/order/script/org/ofbiz/order/order/OrderSimpleMethods.xml Fri Jan 14 21:47:23 2011
> @@ -20,12 +20,44 @@ under the License.
>
> <simple-methods xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/simple-methods.xsd">
> +
> + <!-- Returns hasPermission=true if userLogin partyId equals partyId parameter
> + Only the order owner should be able to cancel an item from Ecommerce
> + -->
> + <simple-method method-name="orderAdjustmentPermissionCheck" short-description="Party contact mech permission logic">
> + <if-empty field="parameters.partyId">
> + <set field="parameters.partyId" from-field="userLogin.partyId"/>
> + </if-empty>
> + <if-compare-field to-field="userLogin.partyId" field="parameters.partyId" operator="equals">
> + <set field="hasPermission" type="Boolean" value="true"/>
> + <field-to-result field="hasPermission"/>
> + <else>
> + <set field="primaryPermission" value="ORDERMGR"/>
> + <set field="altPermission" value="ORDERMGR_ROLE"/>
> + <set field="mainAction" from-field="parameters.mainAction"/>
> + <call-simple-method method-name="genericBasePermissionCheck"
> xml-resource="component://common/script/org/ofbiz/common/permission/CommonPermissionServices.xml"/>
> + <if-compare field="hasPermission" operator="not-equals" value="true">
> + <set field="resourceDescription" from-field="parameters.resourceDescription"/>
> + <if-empty field="resourceDescription">
> + <property-to-field resource="CommonUiLabels" property="CommonPermissionThisOperation"
> field="resourceDescription"/>
> + </if-empty>
> + <if-compare field="mainAction" value="CREATE" operator="equals">
> + <property-to-field resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"
> field="failMessage"/>
> + </if-compare>
> + <if-compare field="mainAction" value="UPDATE" operator="equals">
> + <property-to-field resource="OrderErrorUiLabels"
> property="OrderSecurityErrorToRunAutoCreateOrderAdjustments" field="failMessage"/>
> + </if-compare>
> + <set field="hasPermission" type="Boolean" value="false"/>
> + <field-to-result field="failMessage"/>
> + <else>
> + <field-to-result field="hasPermission"/>
> + </else>
> + </if-compare>
> + </else>
> + </if-compare-field>
> + </simple-method>
> +
> <simple-method method-name="createOrderAdjustment" short-description="Create an OrderAdjustment">
> - <check-permission permission="ORDERMGR" action="_CREATE">
> - <alt-permission permission="ORDERMGR_ROLE" action="_CREATE"/>
> - <fail-property resource="OrderErrorUiLabels" property="OrderSecurityErrorToRunCreateOrderAdjustement"/>
> - </check-permission>
> - <check-errors/>
>
> <make-value entity-name="OrderAdjustment" value-field="newEntity"/>
> <set-nonpk-fields map="parameters" value-field="newEntity"/>
>
> Modified: ofbiz/trunk/applications/order/servicedef/services.xml
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/servicedef/services.xml?rev=1059180&r1=1059179&r2=1059180&view=diff
> ==============================================================================
> --- ofbiz/trunk/applications/order/servicedef/services.xml (original)
> +++ ofbiz/trunk/applications/order/servicedef/services.xml Fri Jan 14 21:47:23 2011
> @@ -181,9 +181,20 @@ under the License.
> <attribute name="shipmentReceiptId" type="String" mode="IN" optional="true"/>
> </service>
>
> + <service name="orderAdjustmentPermissionCheck" engine="simple"
> + location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml"
> invoke="orderAdjustmentPermissionCheck">
> + <description>
> + Performs a party contact mech security check. The userLogin partyId must equal the partyId parameter.
> + Only the order owner should be able to cancel an item from Ecommerce.
> + </description>
> + <implements service="permissionInterface"/>
> + <attribute name="partyId" type="String" mode="IN" optional="true"/>
> + </service>
> +
> <service name="createOrderAdjustment" default-entity-name="OrderAdjustment" engine="simple"
> location="component://order/script/org/ofbiz/order/order/OrderSimpleMethods.xml" invoke="createOrderAdjustment">
> <description>Creates a new order adjustment record</description>
> + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="CREATE"/>
> <auto-attributes mode="OUT" include="pk" optional="false"/>
> <auto-attributes mode="IN" include="nonpk" optional="true"/>
> <override name="orderAdjustmentTypeId" optional="false"/>
> @@ -355,6 +366,7 @@ under the License.
> <service name="recreateOrderAdjustments" engine="simple" auth="true"
> location="component://order/script/org/ofbiz/order/order/OrderServices.xml" invoke="recreateOrderAdjustments">
> <description>Remove all existing order adjustments, recalc them and persist in OrderAdjustment.</description>
> + <permission-service service-name="orderAdjustmentPermissionCheck" main-action="UPDATE"/>
> <attribute name="orderId" type="String" mode="IN" optional="false"/>
> </service>
>
>
> Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl
> URL:
> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl?rev=1059180&r1=1059179&r2=1059180&view=diff
> ==============================================================================
> --- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl (original)
> +++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/order/orderitems.ftl Fri Jan 14 21:47:23 2011
> @@ -222,7 +222,7 @@ under the License.
> ${uiLabelMap.CommonComments}
> <input class="inputBox" type="text" name="icm_${orderItem.orderItemSeqId}" value="" size="30" maxlength="60"/>
> </td>
> - <td colspan="4"><a href="javascript:document.addCommonToCartForm.action='<@ofbizUrl
> fullPath="true">cancelOrderItem</...@ofbizUrl>';document.addCommonToCartForm.submit()"
> class="buttontext">${uiLabelMap.CommonCancel}</a>
> + <td colspan="4"><a
> href="javascript:document.addCommonToCartForm.action='<@o...@ofbizUrl>';document.addCommonToCartForm.submit()"
> class="buttontext">${uiLabelMap.CommonCancel}</a>
> <input type="hidden" name="orderItemSeqId" value="${orderItem.orderItemSeqId}"/>
> </td>
> </tr>
>
>