Order Editor 1.3.7 Issues

[DarkAngel]

well imho, snd that is all it is...an opinion

if it were me i would get with sturner with the changes...after all he is the one that made it to begin with.

[DivaVocals]

**deleted**

[DivaVocals]

I am sorry to spoil the fun and happiness but srturner47 has chosen to follow the way i was discussing in some posts back to rename the keywords in something not fetched by the init_sessions and as DrByte stated as the wrong way because you are bypassing security.
The fix is as bad as the quickfix in init_sessions and even less complete.
I have to go with the advice of DrByte that the only good way is rewriting the mod to make it compatible with the new security measures (first steps for this where made in 1.38) and a mjor rewrite is not at all because the mod is and has been buggy always.

I just got back from the store and took a look at the fix, and you are right.. While this addresses the IMMEDIATE issue, it does not address the underlying security concerns with this add-on.. It's BEYOND my little skill level to even BEGIN to address those.. (Requires a REAL programmer!! )

I will keep writing on a new release of this mod and in the moment the framework is rewritten and confiming to the new standards.
(post this in both threads if the moderators allow)

If you are looking for testers would LOVE to test this.. Two Zenners and myself have been working on an update to Super Orders and we have all but removed all of the order edit features from Super Orders due to the incomplete nature of the order edit functions and the fact that Edit Orders really did what the Super Orders edit features were attempting to do in the first place. We knew Edit Orders wasn't perfect, but it was BETTER than the Super Order edit functions..

We wanted to include correctly edited super_orders.php and edit_orders.php files in the new Super Orders fileset to end a long standing belief that Super Orders and Edit Orders could not be used together. In doing so we did a fair amount of work to remove hardcoded text from the edit_orders.php file along with adding the current comments functionality (most notably the support for hidden "admin" comments) from Zen Cart 1.3.9.

We also modified the Edit Orders navigation as the various back buttons did not follow what we thought would be a "logical" workflow (based on feedback from clients). For example the back button in Add Products takes you back to the order list. It seemed to make more sense that you would want to either return to the order you were editing or return to the order details pages. Same with the edit_orders.php page too.. There was only a back button which returned you to the oder list, but no option to return to the order details page from the editing page.

I used this mod since 2006 (when i started with zencart) and alway accepted its quirks because there has been many other mathers in the shop that needed attention first.
It has always been low priority to me because it worked more or less.
Alway made a smal fix (patch) for one problem at a time and neve came to a complute solution.
With the security taken to a much higher level i am facing similar problems in other mods i was developing and now it has high priority.

Because this mod has everything i need further on in my mod development i will rewrite this one first.

What i did until now:
Made the mod language aware.
Made the mod currency aware. (no more fixed $ signs)
Removed the fixed tax settings and follow the shops tax rules.
Changed some fields from text input to dropdown.
And last but not least confirmation to the security framework. (worked on at the moment, almost finished)

Some other mods i am using included in this one but still need some fine tuning for those not using this other mods.

After finishing up i will upload to the mods but since v2 is occupied i wonder how i should name this new version. (V3 ?)

Wow this sounds great.. I say v3.0 sounds awesome and totally appropriate!!!!

Let me ask one thing.. Integration to use with Super Orders was a fairly simple matter with the current v2.03/2.04 versions.. Will yours be just as easy to link these two add-ons??

[DivaVocals]

well imho, snd that is all it is...an opinion

if it were me i would get with sturner with the changes...after all he is the one that made it to begin with.

Angel, add-ons here have ALWAYS been an open affair, and never "owned" my any one person.. The LONG history of this mod is that it was an OC commerce mode ported for use with Zen Cart, and looking at it from that standpoit sturner is not THE original author..

That said sturner has maintained this mod since v1.5, but even he would admit he is not the originator of this mod.. (a quick looksee at the changelog will confirm this..) He has done an awesome job, but asekeris is correct there are some issues with this mod, that many of us have overlooked and even accepted since it MOSTLY did what it was supposed to do.. I welcome his new update especially since it sounds like the right direction for this mod..

[srturner47]

Yes, you are correct. I am certainly not the original author of this mod. I just saw some things that annoyed me about it, and I fixed them and added some new features.

I don't really use this mod anymore anyway, so I've simply kept it up for the community at large. The changes asekeris is working on sound great! The biggest problem with Edit Orders is that it doesn't handle multiple taxes right. Not a problem if you only have one tax per order, but European countries that use multiple VATs have big issues with this. If your changes somehow address that, that would be a big boon for a lot of users!

I must admit, I really don't understand the security token that Zen Cart uses. I did find that with the newest version Zen Cart checks to see if there is a GET variable with certain things in it. One of those things is add_product. I assumed this was to prevent something from happening in Zen Cart. Edit Orders uses this value for a GET variable called action, so I just changed it to add_prdct. This GET variable, action, is used only within the edit orders file -- it calls itself through a link and does different things based on the GET and POST variables. It doesn't do anything with a standard Zen Cart file other than to load the headers, footers, db stuff, etc.... The way I fixed this doesn't affect any of the other Zen Cart files, as add_product is still not allowed in GET variables.

Furthermore, the only way someone can gain access to your admin is to get your password. If they've got that, you've got big problems anyway.

I suppose you could change it to a POST variable, which would also fix your problem. Then you'd need to change the link to a form with a post variable. Wouldn't be too difficult to do, but as it stands, I don't really see the point.

Maybe I am missing something, but this seems secure to me. As with anything in life though, you take your chances! :)

[DivaVocals]

Hey Scott.. not for nothing your fix will allow me and my fellow Zenners to move forward with our Super Order release.. Admittedly (if I didn't make it clear before..) while I think I understand the issue, I don't profess to understand the full extent of the security concerns that DrByte pointed out.I leave that for real smart people to figure out and explain to the rest of us "little people".. However, since the concern was brought up, I'm glad the real smart people are trying to work this out and improve this add-on even more..

Lest it sound like I meant otherwise, your hard work on this add-on has been appreciated.. Yeah we ALL know Edit Orders is far from perfect, but it gets the job done for a great deal of store owners so thank you for keeping it up for the community!!! Beyond that anything that makes this add-on better is a good thing regardless of whoever brings it to the the table..

Yes, you are correct. I am certainly not the original author of this mod. I just saw some things that annoyed me about it, and I fixed them and added some new features.

I don't really use this mod anymore anyway, so I've simply kept it up for the community at large. The changes asekeris is working on sound great! The biggest problem with Edit Orders is that it doesn't handle multiple taxes right. Not a problem if you only have one tax per order, but European countries that use multiple VATs have big issues with this. If your changes somehow address that, that would be a big boon for a lot of users!

I must admit, I really don't understand the security token that Zen Cart uses. I did find that with the newest version Zen Cart checks to see if there is a GET variable with certain things in it. One of those things is add_product. I assumed this was to prevent something from happening in Zen Cart. Edit Orders uses this value for a GET variable called action, so I just changed it to add_prdct. This GET variable, action, is used only within the edit orders file -- it calls itself through a link and does different things based on the GET and POST variables. It doesn't do anything with a standard Zen Cart file other than to load the headers, footers, db stuff, etc.... The way I fixed this doesn't affect any of the other Zen Cart files, as add_product is still not allowed in GET variables.

Furthermore, the only way someone can gain access to your admin is to get your password. If they've got that, you've got big problems anyway.

I suppose you could change it to a POST variable, which would also fix your problem. Then you'd need to change the link to a form with a post variable. Wouldn't be too difficult to do, but as it stands, I don't really see the point.

Maybe I am missing something, but this seems secure to me. As with anything in life though, you take your chances! :)

[asekeris]

I am not attacking someone (even if it looks that way in my posts) just pointing to the problems.
A lot of good things have been done to the mod by scot and i am taking them all in account while rewriting.
At first i thought changing the redirecting to the new safer way was easy but after a few days struggling with the code i totally understand (i think) this new way of redirecting.
It is easier said then done.
I am working on it and getting closer and will release to the public as soon as possible so that everybody can take advantage of it.
Beacause the nature of this change the layout and flow of things has to change also and it is a lot of work to get this implemented and along the way clean up all the quik fixes and patches done by everyone in the past.

I don't think it will be appreciated if i explain here in full detail how to handle and use this new safety method to the public and just limit myself to rewriting and make the finished files available in the add-on section.

For now this is very high priority to me because i walked into the same problem with other mod's i was working on but because they are more complex i decided to use this mod for testing.
Working full days on this mod at the moment and hoping to release the first update this week.

[dw08gm]

Intrigued by this add_product dilemma, I am wondering whether the following edit concerning edit_cart_v1.3 and performed to
/includes/templates/template_default/templates/tpl_product_info_display.php,
as discussed in the following link, may have a bearing upon this problem.

http://www.zen-cart.com/forum/showpo...&postcount=145

I made this edit under 139c and have not experienced any problems with it (fingers crossed).

Cheers

[DrByte]

dw08gm, this is about admin-related stuff. Your post is about non-admin related stuff.
While the "add_product" parameter is also used here, the concepts and issues at hand are entirely different.

[dw08gm]

DrByte

I feared as much. Thanks for the clarity.

Cheers