Fixing the permissions for user access to Order List

Next topic

Author	Message
Stuart Fenton	Monday 22 January 2007 5:26:45 am EzPublish 3.9 has a problem showing "my orders" from the user profile without granting admin privileges. This means that the user can see ALL of the orders in the system. In order to fix this I have modified the source code to correct the problem by adding a new rule to the shop's module.php to control access to the customerorderview function. If you need to fix this follow these instructions. Add "user_view_orders" into the access function Change... $ViewList["customerorderview"] = array( "functions" => array( 'administrate' ), "script" => "customerorderview.php", "default_navigation_part" => 'ezshopnavigationpart', "params" => array( "CustomerID", "Email" ) ); To this... $ViewList["customerorderview"] = array( "functions" => array( 'user_view_orders', 'administrate' ), "script" => "customerorderview.php", "default_navigation_part" => 'ezshopnavigationpart', "params" => array( "CustomerID", "Email" ) ); Then add ?$FunctionList['user_view_orders'] = array( );? to the bottom of the file. Change... $FunctionList['setup'] = array( ); $FunctionList['administrate'] = array( ); $FunctionList['buy'] = array( ); $FunctionList['edit_status'] = array( ); $FunctionList['setstatus'] = array( 'FromStatus' => $FromStatus, 'ToStatus' => $ToStatus ); To this... $FunctionList['setup'] = array( ); $FunctionList['administrate'] = array( ); $FunctionList['buy'] = array( ); $FunctionList['edit_status'] = array( ); $FunctionList['setstatus'] = array( 'FromStatus' => $FromStatus, 'ToStatus' => $ToStatus ); $FunctionList['user_view_orders'] = array( ); Then go to the Roles and Policies and add the shop / user_view_orders to the users permissions and your good to go. Regards Fats -- Stuart stuart@grandmore.com http://www.grandmore.com
kracker (the)	Monday 22 January 2007 6:02:43 am Great Post! Any chance this is anyway related to another contribution of a similar topic, <i>http://ez.no/community/contribs/applications/ezorder</i> <i>//kracker Home Movies - Duane's Practice</i> Member since: 2001.07.13 \|\| http://ezpedia.se7enx.com/
Stuart Fenton	Monday 22 January 2007 6:44:50 am It is related however the standard install of ezPublish 3.9 has the "My Profile" functionality in place during installation. It does not however work out of the box as there are no roles to allow a user to see only their orders. I did look at the contribution but decided it was better top fix ez than add another extension. Also the extension works slightly differently to that of ez 3.9 Regards Fats -- Stuart stuart@grandmore.com http://www.grandmore.com
Stuart Fenton	Monday 22 January 2007 7:08:24 am This patch needs to be applied to the /kernel/shop/module.php file. Regards Fats -- Stuart stuart@grandmore.com http://www.grandmore.com
kracker (the)	Friday 16 March 2007 6:57:30 pm Stuart, Would you consider submitting a feature request (to the issue system) with a diff which adds your fix? Perhaps with a little more work eZ systems might consider adding this feature to the default release. Then no need to patch in the future for everyone. Here my diff based on your instructions ... # diff kernel/shop/module.php kernel/shop/module.php.patched 86c86 < "functions" => array( 'administrate' ), --- > "functions" => array( 'user_view_orders','administrate' ), 327a328 > $FunctionList['user_view_orders'] = array( ); //kracker Member since: 2001.07.13 \|\| http://ezpedia.se7enx.com/
Nicolas Ottavi	Tuesday 05 June 2007 4:59:55 am Sorry, But I am not sure this change anything. You are adding a new function that does not have any limitation. My feeling is that the function you are adding do exactly the same as before. When I had to deal with this problem on a 3.6.x I did edit the customerorderview.php file and checked the user_id and compared it with the one passed in parameter. If current_user was an administrator or the user who passed the order, then I allowed the display. Else I raised an error. Kind Regards, NO
Horst Lindlbauer	Monday 06 October 2008 5:45:23 am It's quite unbelievable that this issue is not fixed with 4.0.1. Nobody wants any user to see the orders of other users (except for administator users), I guess. So why is the limitation of orderlist to orders of the current user not the default setting? --------------------------------------- http://www.lbm-services.de
scrieler _	Friday 22 May 2009 2:25:56 am heya, think it isn't normal... using ez4.1.1 and no change or extension ran.. I try to change the module.php and add the role without success [still no access] I try to install the ezorder extension and add the ExtensionAutoloadPath[]=ezorder without success My last try to install http://projects.ez.no/tc_mypurchases to use it in in user/edit.tpl is without success too