Order Editor 1.3.7 Issues

[asekeris]

That was the clue i was looking for.

Just before i saw your reply i tested edit order 1.5.3. on zencart 1.39e and there everything worked.
Since 1.39e many extra's are added to this init_sessions and the edit orders now falls in this if structure preventing it from working.
As far as i can see there is no problem adding this extra file to the line and after that everything works fine.
Maybe drByte can confirm this if he has some time left.

Thanks a lot for the hint

[DrByte]

It is UNADVISABLE to make such an edit to init_sessions. You're basically just opening the door so anyone can edit your orders without logging in.
Something's wrong with your addon, and should be fixed there.

[asekeris]

I understand your point in this DrByte that it is not good to open doors that should be shut but can you explain then what the difference is between opening the door for EDIT_ORDERS and opening it for FILENAME_PRODUCTS_PRICE_MANAGER for example.
It is the same door and somebody messing up your prices is also not real fun.
I could be wrong but to me an open door is open and it makes no difference who opened it.

[DarkAngel]

ideas please...my edit orders has decided to not proceed to step 1. It was working in 1.3.9f and then in 1.3.9g...I have since done the "h" update.

I click the edit button to get the next page to edit the order, then I click the "add product" page and get sent to the main admin summary page not to the next part that allows me to add the product.

I replaced the edit orders files again and then I made sure the orders.php file in admin folder was still there and with the 2 required edits and still goes to summary admin page.

I had version 2 installed and thought that maybe digressing the version would help but nope it does not.

this is the link it should send me to the editing page to add an order on:

Code:

 http://fantasiesrealm.com/market/xxx...product&step=1

but it sends me to the main page instead...I checked the test store and it does the same thing too so it is something in the newest update that is not playing well with this mod.

can anyone tell me what I might need to do?

[asekeris]

Edit the init_sessions file as written a few posts back

or

Replace the keyword action by something else.
(for instance 'actions=')

[DivaVocals]

Edit the init_sessions file as written a few posts back

or

Replace the keyword action by something else.
(for instance 'actions=')

Ummm no.. I trust DrByte when he says not to make this particular change, and therefore I have to respectfully disagree with the suggestion that ANYONE make this change..

It is UNADVISABLE to make such an edit to init_sessions. You're basically just opening the door so anyone can edit your orders without logging in.
Something's wrong with your addon, and should be fixed there.

ideas please...my edit orders has decided to not proceed to step 1. It was working in 1.3.9f and then in 1.3.9g...I have since done the "h" update.

I click the edit button to get the next page to edit the order, then I click the "add product" page and get sent to the main admin summary page not to the next part that allows me to add the product.

I replaced the edit orders files again and then I made sure the orders.php file in admin folder was still there and with the 2 required edits and still goes to summary admin page.

I had version 2 installed and thought that maybe digressing the version would help but nope it does not.

this is the link it should send me to the editing page to add an order on:

Code:

 http://fantasiesrealm.com/market/xxx...product&step=1

but it sends me to the main page instead...I checked the test store and it does the same thing too so it is something in the newest update that is not playing well with this mod.

can anyone tell me what I might need to do?

Hey Angel.. I have not had a problem getting this to work with Zen v1.3.9f. (as I stated only mods I made were edits required for this to work with Super Orders)

I am currently working on upgrading my test store to 1.3.9h.. Because we're gonna bundle in the correctly edited files needed to use Edit Orders with Super Orders in the next SUper Orders release, I wanna test this add-on and see if I can replicate the issue.. (I have a few ideas on how to correct the issue (that don't create a security risk) if I can replicate it.. If you can hang tight (unless someone posts the right solution before I can post back) I'll let you know what I find out..

[asekeris]

I gave two options.

The first one:
The first one was to do edit the init_sessions file what should according to DrByte give a security risk.
(I disagree on this point because the same action is done in that file for some core files and i refuse to see the difference between a core file and a third party mod and i am still hoping DrByte is willing to elaborate on that difference)


The second one:
Rewrite the mod on each point where the keyword 'action' is used and by doing that you go around the init_sessions problem because there the limitations are set much higher since the 1.39h uodate.
Personally i am against this because then we deviate from what is amost a standard in all mods.

I tested replacing action with aktie (dutch) and then everything works again.

[DrByte]

Bypassing the security altogether is the wrong approach.

It would be wiser to actually recode things to ensure that the securityToken is set and checked, else you're leaving yourself open to XSS/CSRF vulnerabilities.

[asekeris]

If thats all i will do that and thanks for the clue.
(between the lines i read that the other modules in the init_sessions file still need some rewriting to.)

I will try this and post my findings.

[DarkAngel]

Hi Diva,

I shall await your findnigs. I know it worked prior to the "h" updated files because we have contests and when they win an item from the store I go in and add it to their order, which I did early in October.

Not sure what happened either and it is happening in both the test and live store...but not affeting the rest of the stuff either.

I even went in and added the files that the doc said could be deleted too and that did not make it behave.