Fixing the permissions for user access to Order List

« 
Previous topic
|
Developer
|
Next topic
 »
Author Message

Stuart Fenton

Monday 22 January 2007 5:26:45 am

EzPublish 3.9 has a problem showing "my orders" from the user profile without granting admin privileges. This means that the user can see ALL of the orders in the system.

In order to fix this I have modified the source code to correct the problem by adding a new rule to the shop's module.php to control access to the customerorderview function.

If you need to fix this follow these instructions.

Add "user_view_orders" into the access function

Change...

$ViewList["customerorderview"] = array(
    "functions" => array( 'administrate' ),
    "script" => "customerorderview.php",
    "default_navigation_part" => 'ezshopnavigationpart',
    "params" => array( "CustomerID", "Email" ) );

To this...

$ViewList["customerorderview"] = array(
    "functions" => array(   'user_view_orders', 'administrate' ),
    "script" => "customerorderview.php",
    "default_navigation_part" => 'ezshopnavigationpart',
    "params" => array( "CustomerID", "Email" ) );

Then add ?$FunctionList['user_view_orders'] = array( );? to the bottom of the file.

Change...

$FunctionList['setup'] = array( );
$FunctionList['administrate'] = array( );
$FunctionList['buy'] = array( );
$FunctionList['edit_status'] = array( );
$FunctionList['setstatus'] = array( 'FromStatus' => $FromStatus,
                                    'ToStatus' => $ToStatus );

To this...

$FunctionList['setup'] = array( );
$FunctionList['administrate'] = array( );
$FunctionList['buy'] = array( );
$FunctionList['edit_status'] = array( );
$FunctionList['setstatus'] = array( 'FromStatus' => $FromStatus,
                                    'ToStatus' => $ToStatus );
$FunctionList['user_view_orders'] = array( );

Then go to the Roles and Policies and add the shop / user_view_orders to the users permissions and your good to go.

Regards
Fats

-- Stuart

stuart@grandmore.com
http://www.grandmore.com

kracker (the)

The Doctor

Monday 22 January 2007 6:02:43 am

Great Post!

Any chance this is anyway related to another contribution of a similar topic,
<i>http://ez.no/community/contribs/applications/ezorder</i>

<i>//kracker

Home Movies - Duane's Practice</i>

Member since: 2001.07.13 || http://ezpedia.se7enx.com/

Stuart Fenton

Monday 22 January 2007 6:44:50 am

It is related however the standard install of ezPublish 3.9 has the "My Profile" functionality in place during installation. It does not however work out of the box as there are no roles to allow a user to see only their orders.

I did look at the contribution but decided it was better top fix ez than add another extension. Also the extension works slightly differently to that of ez 3.9

Regards
Fats

-- Stuart

stuart@grandmore.com
http://www.grandmore.com

Stuart Fenton

Monday 22 January 2007 7:08:24 am

This patch needs to be applied to the /kernel/shop/module.php file.

Regards
Fats

-- Stuart

stuart@grandmore.com
http://www.grandmore.com

kracker (the)

The Doctor

Friday 16 March 2007 6:57:30 pm

Stuart,

Would you consider submitting a feature request (to the issue system) with a diff which adds your fix?

Perhaps with a little more work eZ systems might consider adding this feature to the default release.

Then no need to patch in the future for everyone. Here my diff based on your instructions ...

# diff kernel/shop/module.php kernel/shop/module.php.patched
86c86
<     "functions" => array( 'administrate' ),
---
>     "functions" => array( 'user_view_orders','administrate' ),
327a328
> $FunctionList['user_view_orders'] = array( );

//kracker

Member since: 2001.07.13 || http://ezpedia.se7enx.com/

Nicolas Ottavi

Tuesday 05 June 2007 4:59:55 am

Sorry,

But I am not sure this change anything. You are adding a new function that does not have any limitation. My feeling is that the function you are adding do exactly the same as before.

When I had to deal with this problem on a 3.6.x I did edit the customerorderview.php file and checked the user_id and compared it with the one passed in parameter.

If current_user was an administrator or the user who passed the order, then I allowed the display. Else I raised an error.

Kind Regards,
NO

Horst Lindlbauer

Monday 06 October 2008 5:45:23 am

It's quite unbelievable that this issue is not fixed with 4.0.1.
Nobody wants any user to see the orders of other users (except for administator users), I guess.
So why is the limitation of orderlist to orders of the current user not the default setting?

---------------------------------------
http://www.lbm-services.de

scrieler _

Friday 22 May 2009 2:25:56 am

heya,

think it isn't normal... using ez4.1.1 and no change or extension ran..

I try to change the module.php and add the role without success [still no access]
I try to install the ezorder extension and add the ExtensionAutoloadPath[]=ezorder without success
My last try to install http://projects.ez.no/tc_mypurchases to use it in in user/edit.tpl is without success too
Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.

eZ debug

Timing: Jan 18 2025 11:24:45
Script start
Timing: Jan 18 2025 11:24:45
Module start 'layout'
Timing: Jan 18 2025 11:24:45
Module start 'content'
Timing: Jan 18 2025 11:24:45
Module end 'content'
Timing: Jan 18 2025 11:24:45
Script end

Main resources:

Total runtime0.6938 sec
Peak memory usage4,096.0000 KB
Database Queries78

Timing points:

CheckpointStart (sec)Duration (sec)Memory at start (KB)Memory used (KB)
Script start 0.00000.0059 588.0625152.6406
Module start 'layout' 0.00590.0030 740.703139.4766
Module start 'content' 0.00880.6833 780.1797723.0078
Module end 'content' 0.69220.0016 1,503.187520.1250
Script end 0.6938  1,523.3125 

Time accumulators:

 Accumulator Duration (sec) Duration (%) Count Average (sec)
Ini load
Load cache0.00330.4748160.0002
Check MTime0.00140.1993160.0001
Mysql Total
Database connection0.00150.214610.0015
Mysqli_queries0.606687.4388780.0078
Looping result0.00100.1451760.0000
Template Total0.652394.020.3262
Template load0.00200.289120.0010
Template processing0.650393.731220.3252
Template load and register function0.00010.015610.0001
states
state_id_array0.00390.562710.0039
state_identifier_array0.00220.321720.0011
Override
Cache load0.00180.2641630.0000
Sytem overhead
Fetch class attribute can translate value0.00080.116550.0002
Fetch class attribute name0.00180.2540100.0002
XML
Image XML parsing0.00190.269650.0004
class_abstraction
Instantiating content class attribute0.00000.0040130.0000
General
dbfile0.00100.1424240.0000
String conversion0.00000.000940.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

UsageRequested templateTemplateTemplate loadedEditOverride
1node/view/full.tplfull/forum_topic.tplextension/sevenx/design/simple/override/templates/full/forum_topic.tplEdit templateOverride template
5content/datatype/view/ezimage.tpl<No override>extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tplEdit templateOverride template
8content/datatype/view/ezxmltext.tpl<No override>extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tplEdit templateOverride template
19content/datatype/view/ezxmltags/paragraph.tpl<No override>extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tplEdit templateOverride template
5content/datatype/view/ezxmltags/literal.tpl<No override>extension/community/design/standard/templates/content/datatype/view/ezxmltags/literal.tplEdit templateOverride template
7content/datatype/view/ezxmltags/line.tpl<No override>design/standard/templates/content/datatype/view/ezxmltags/line.tplEdit templateOverride template
1print_pagelayout.tpl<No override>extension/community/design/community/templates/print_pagelayout.tplEdit templateOverride template
 Number of times templates used: 46
 Number of unique templates used: 7

Time used to render debug report: 0.0002 secs