OFBiz
  1. OFBiz
  2. OFBIZ-1533

Order Lookup fails with "Order not found with ID [XXXXX], or not allowed to view" message while sending email confirmation from order manager

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: Release Branch 4.0, Trunk
    • Fix Version/s: Trunk
    • Component/s: order
    • Labels:
      None
    • Environment:

      Ubuntu 7.10

      Description

      order lookup fails and following messages, while sending email confirmation from the order manager for orders created through the e-commerce or the order entry.

      "Order not found with ID [XXXXX], or not allowed to view" where [XXXXX] is the order id.

      How to reproduce:

      1. Create an order form e-commerce by logging in (as registered user).
      2. Goto the order manager and login with FULLADMIN or ORDERADMIN security group permission.
      3. Lookup the newly created order.
      4. Click on the send confirmation button in the top right area of the order screen.
      5. It will open up a window with the email text. Email text shows the above message instead of actual order confirmation html.
      6. You can repeat the above by creating an order from Order Entry as well.

        Activity

        Hide
        Jacques Le Roux added a comment -

        HI Raj,

        Yes that's what I thought also. So I close this issue, I agree there are enough informations to customise...

        Show
        Jacques Le Roux added a comment - HI Raj, Yes that's what I thought also. So I close this issue, I agree there are enough informations to customise...
        Hide
        Raj Saini added a comment -

        Hi Jacques,

        I just tested this and original bug has been fixed.

        Regarding the URL links I think some the link like have e-commerce hard-coded and which may not be a case for every e-commerce site. Most of the e-commerce site you will have root context. For orders created form order entry screen, it really does not make any sense to to show a URL with ordermgr as customers can never view them. Therefore, I think it may be a good idea to remove the link all together and instead give the link to the user profile page.

        Regarding product link, it makes sense to use the e-commerce site link instead of product manager. Again hard coding the "ecommerce" as context is not a good idea. I think most of the users needs to customize these templates (we do) and use their own URL, that may be the reason no one is interested in this.

        Show
        Raj Saini added a comment - Hi Jacques, I just tested this and original bug has been fixed. Regarding the URL links I think some the link like have e-commerce hard-coded and which may not be a case for every e-commerce site. Most of the e-commerce site you will have root context. For orders created form order entry screen, it really does not make any sense to to show a URL with ordermgr as customers can never view them. Therefore, I think it may be a good idea to remove the link all together and instead give the link to the user profile page. Regarding product link, it makes sense to use the e-commerce site link instead of product manager. Again hard coding the "ecommerce" as context is not a good idea. I think most of the users needs to customize these templates (we do) and use their own URL, that may be the reason no one is interested in this.
        Hide
        Jacques Le Roux added a comment -

        Nobody interested by this challenge ?

        Show
        Jacques Le Roux added a comment - Nobody interested by this challenge ?
        Hide
        Jacques Le Roux added a comment -

        Any tries ?

        Show
        Jacques Le Roux added a comment - Any tries ?
        Hide
        Jacques Le Roux added a comment -

        Hi Raj,

        I'm back on this subject near one year later. I have just fixed a bug introduced since then and had a new look at this. If you are still interested (or if someone is interested in this issue) here are how I see it.

        In SendConfirmationEmail.groovy we use "PRDS_ODR_CONFIRM" emailType which is set in the product Store. By default its value are
        <ProductStoreEmailSetting productStoreId="9000" emailType="PRDS_ODR_CONFIRM" bodyScreenLocation="component://ecommerce/widget/EmailOrderScreens.xml#OrderConfirmNotice" xslfoAttachScreenLocation="component://ecommerce/widget/EmailOrderScreens.xml#OrderConfirmNoticePdf" subject="OFBiz Demo - Order Confirmation #$

        {orderId}

        " bccAddress="ofbiztest@yahoo.com" fromAddress="ofbiztest@yahoo.com"/>

        But as we are in ordermgr we generate link related to this component (hence the problems I found 2 comments above). I think that these links should depend on the "Sales Channel" used.

        • If it's Web Channel we should replace the ordermgr links by ecommerce links.
          • Maybe not easy to do since it uses <@ofbizurl> macro, but we may use something like
          • <#if baseEcommerceSecureUrl?exists><#assign urlPrefix = baseEcommerceSecureUrl/></#if>
            (which is used in applications/ecommerce/webapp/ecommerce/order/orderheader.ftl)
        • If it's another channel we should not provide any links at all since clients can't access to ordrmgr

        Please let me know what you think, thanks

        Show
        Jacques Le Roux added a comment - Hi Raj, I'm back on this subject near one year later. I have just fixed a bug introduced since then and had a new look at this. If you are still interested (or if someone is interested in this issue) here are how I see it. In SendConfirmationEmail.groovy we use "PRDS_ODR_CONFIRM" emailType which is set in the product Store. By default its value are <ProductStoreEmailSetting productStoreId="9000" emailType="PRDS_ODR_CONFIRM" bodyScreenLocation="component://ecommerce/widget/EmailOrderScreens.xml#OrderConfirmNotice" xslfoAttachScreenLocation="component://ecommerce/widget/EmailOrderScreens.xml#OrderConfirmNoticePdf" subject="OFBiz Demo - Order Confirmation #$ {orderId} " bccAddress="ofbiztest@yahoo.com" fromAddress="ofbiztest@yahoo.com"/> But as we are in ordermgr we generate link related to this component (hence the problems I found 2 comments above). I think that these links should depend on the "Sales Channel" used. If it's Web Channel we should replace the ordermgr links by ecommerce links. Maybe not easy to do since it uses <@ofbizurl> macro, but we may use something like <#if baseEcommerceSecureUrl?exists><#assign urlPrefix = baseEcommerceSecureUrl/></#if> (which is used in applications/ecommerce/webapp/ecommerce/order/orderheader.ftl) If it's another channel we should not provide any links at all since clients can't access to ordrmgr Please let me know what you think, thanks
        Hide
        Jacques Le Roux added a comment -

        Sorry Raj,

        I have no time yet, but I will take care of it... later...

        Show
        Jacques Le Roux added a comment - Sorry Raj, I have no time yet, but I will take care of it... later...
        Hide
        Raj Saini added a comment -

        Thanks Jacques. If you explain to me the work around, I can work on it. I know explaining to me may be harder than fixing it on your own.

        Show
        Raj Saini added a comment - Thanks Jacques. If you explain to me the work around, I can work on it. I know explaining to me may be harder than fixing it on your own.
        Hide
        Jacques Le Roux added a comment -

        Raj,

        Your trunk patch is commited in rev. 635359 . As I wrote above still some work to do around... (no time to go further by myself, sorry)

        Show
        Jacques Le Roux added a comment - Raj, Your trunk patch is commited in rev. 635359 . As I wrote above still some work to do around... (no time to go further by myself, sorry)
        Hide
        Jacques Le Roux added a comment -

        Hi Raj,

        I have just tested your trunk patch. For me it's better than before : at least it produces something usable !

        At this stage it needs more work. Not in your patch but in the part that generates the content of mail. So I will commit it soon if nobody complains.

        Changes to do :
        The URL to view the order is now something like
        https://192.168.2.4:28080/ordermgr/control/orderstatus;jsessionid=7CDCC8AA36C2EC35B29A3D162AB92AAF.jvm1?orderId=WSCO1000
        and it should be something like
        https://192.168.2.4:28443/ecommerce/control/orderstatus?orderId=WSCO10000

        I'm not sure we want to put a link to the product so there should be no link like
        <a href="/ordermgr/control/product?product_id=WG-5569" class="linktext">WG-5569 - Tiny Chrome Widget</a>
        but only
        WG-5569 - Tiny Chrome Widget

        I did not review, nor tested the branch patch yet.

        Show
        Jacques Le Roux added a comment - Hi Raj, I have just tested your trunk patch. For me it's better than before : at least it produces something usable ! At this stage it needs more work. Not in your patch but in the part that generates the content of mail. So I will commit it soon if nobody complains. Changes to do : The URL to view the order is now something like https://192.168.2.4:28080/ordermgr/control/orderstatus;jsessionid=7CDCC8AA36C2EC35B29A3D162AB92AAF.jvm1?orderId=WSCO1000 and it should be something like https://192.168.2.4:28443/ecommerce/control/orderstatus?orderId=WSCO10000 I'm not sure we want to put a link to the product so there should be no link like <a href="/ordermgr/control/product?product_id=WG-5569" class="linktext">WG-5569 - Tiny Chrome Widget</a> but only WG-5569 - Tiny Chrome Widget I did not review, nor tested the branch patch yet.
        Hide
        BJ Freeman added a comment -

        https://demo.hotwaxmedia.com/partymgr/control/viewprofile?partyId=admin
        look at User Name(s)
        those are the logins
        each one has its own security groups
        each security group has it permissions
        so if you disable the login, you disable permissions.

        http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration

        Show
        BJ Freeman added a comment - https://demo.hotwaxmedia.com/partymgr/control/viewprofile?partyId=admin look at User Name(s) those are the logins each one has its own security groups each security group has it permissions so if you disable the login, you disable permissions. http://ofbizwiki.go-integral.com/Wiki.jsp?page=SecurityAdministration
        Hide
        Raj Saini added a comment -

        I am new to this but I don't think anonymous users are allowed to view their orders in the current ecommerce application.

        I am eager to hear the opinion of more knowledgeable people.

        Show
        Raj Saini added a comment - I am new to this but I don't think anonymous users are allowed to view their orders in the current ecommerce application. I am eager to hear the opinion of more knowledgeable people.
        Hide
        BJ Freeman added a comment -

        hmmm how do you deal with customer that has no login information.
        there for no permissions.

        I believe three or more variables are sufficient to keep the most arduous dictionary busy for years.

        Show
        BJ Freeman added a comment - hmmm how do you deal with customer that has no login information. there for no permissions. I believe three or more variables are sufficient to keep the most arduous dictionary busy for years.
        Hide
        Raj Saini added a comment -

        I don't think zip code is the right way to go. If someone can find the party id of another user, finding zip code is easier than this.

        Why not to use the security group permissions?

        For example:

        if context.get(partyId) is equal to userLogin.getPartyId
        allow to view the order
        else if user is not in security group of FULLADMIN or ORDERADMIN
        do not allow view to view orders

        Show
        Raj Saini added a comment - I don't think zip code is the right way to go. If someone can find the party id of another user, finding zip code is easier than this. Why not to use the security group permissions? For example: if context.get(partyId) is equal to userLogin.getPartyId allow to view the order else if user is not in security group of FULLADMIN or ORDERADMIN do not allow view to view orders
        Hide
        BJ Freeman added a comment -

        I can give you the code that I use
        I have clients that have a seperate website.
        they have a form on it where the person puts in the zipcode and order number
        this comes to ofbiz and they see thier order.

        so first modify the template for the email, with a zipcode and URL to handle the extra info.
        then
        add a url for the lookup of the order with the zipcode and orderID passed.
        you can expand from there.

        Show
        BJ Freeman added a comment - I can give you the code that I use I have clients that have a seperate website. they have a form on it where the person puts in the zipcode and order number this comes to ofbiz and they see thier order. so first modify the template for the email, with a zipcode and URL to handle the extra info. then add a url for the lookup of the order with the zipcode and orderID passed. you can expand from there.
        Hide
        Raj Saini added a comment -

        Thanks for your comments BJ.

        Any clue how to go about it?

        Show
        Raj Saini added a comment - Thanks for your comments BJ. Any clue how to go about it?
        Hide
        Raj Saini added a comment -

        patch for branch-4.0

        Show
        Raj Saini added a comment - patch for branch-4.0
        Hide
        BJ Freeman added a comment -

        probably need more work
        you don't want someone to randomly access orders and get personal information.
        so may have to add zipcode and some other parameter to match against the order in the URL.

        Show
        BJ Freeman added a comment - probably need more work you don't want someone to randomly access orders and get personal information. so may have to add zipcode and some other parameter to match against the order in the URL.
        Hide
        Raj Saini added a comment -

        Attached patch resolves the problem in trunk. Branch code is different than trunk and will need a separate patch

        Order lookup was failed due to the reason that partyId passed for orderRole lookup was of the logged in user (order admin) and not the placing customer or supplier/supplier agent as it is taken from the userLogin entity and not from the context.

        Show
        Raj Saini added a comment - Attached patch resolves the problem in trunk. Branch code is different than trunk and will need a separate patch Order lookup was failed due to the reason that partyId passed for orderRole lookup was of the logged in user (order admin) and not the placing customer or supplier/supplier agent as it is taken from the userLogin entity and not from the context.

          People

          • Assignee:
            Jacques Le Roux
            Reporter:
            Raj Saini
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development