Author: jacopoc
Date: Tue Jan 30 21:11:24 2007
New Revision: 501733
URL: http://svn.apache.org/viewvc?view=rev&rev=501733
Log:
Quick fix for issue OFBIZ-672: if you login to the ecommerce area of ofbiz and
view an order using the URL you can view any order made by other users by
changing the order number in the URL.
I've not tested my fix well also with orders created by anonymous users, so
any review and test is appreciated: however I think that for now it's better to
have it committed.
Modified:
ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
Modified:
ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh?view=diff&rev=501733&r1=501732&r2=501733
==============================================================================
---
ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
(original)
+++
ofbiz/trunk/applications/ecommerce/webapp/ecommerce/WEB-INF/actions/order/orderstatus.bsh
Tue Jan 30 21:11:24 2007
@@ -51,7 +51,7 @@
// check OrderRole to make sure the user can view this order. This check
must be done for any order which is not anonymously placed and
// any anonymous order when the allowAnonymousView security flag (see
above) is not set to Y, to prevent peeking
if ((orderHeader != null) &&
(!("anonymous".equals(orderHeader.getString("createdBy"))) ||
("anonymous".equals(orderHeader.getString("createdBy")) &&
!"Y".equals(allowAnonymousView)))) {
- orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole",
UtilMisc.toMap("orderId", orderId, "roleTypeId", "PLACING_CUSTOMER")));
+ orderRole = EntityUtil.getFirst(delegator.findByAnd("OrderRole",
UtilMisc.toMap("orderId", orderId, "partyId", partyId, "roleTypeId",
"PLACING_CUSTOMER")));
if (userLogin == null || orderRole == null) {
context.remove("orderHeader");
