Details
-
Bug
-
Resolution: Obsolete
-
Medium
-
None
-
4.1.3
-
None
-
Operating System: Linux
PHP Version: (please be specific, like '4.4.3' or '5.1.5')
Database and version:
Browser (and version):
Description
The ezprice datatype doesn't check if it has the necessary postvariables before setting the attributes.
We have some users that sould only edit the description and images of the products, so we created a siteacces and design where the ezprice attribute is missing in the edit template. This meses up the vat type in the ezprice attribute. We wil add the missing infirmation in hidden fields for now, but it is not very secure as it can be modified by the user using firebug or similar tools. It would be much better if ezprice checks if it has the correct data before setting the vat info in the db.
Suggested fix:
// Existing fetchObjectAttributeHTTPInput
function fetchObjectAttributeHTTPInput( $http, $base, $contentObjectAttribute )
$data = $http->postVariable( $base . "data_price" . $contentObjectAttribute->attribute( "id" ) );
$vatType = $http->postVariable( $base . 'ezprice_vat_id' . $contentObjectAttribute->attribute( 'id' ) );
$vatExInc = $http->postVariable( $base . 'ezprice_inc_ex_vat' . $contentObjectAttribute->attribute( 'id' ) );
$locale = eZLocale::instance();
$data = $locale->internalCurrency( $data );
$data_text = $vatType . ',' . $vatExInc;
$contentObjectAttribute->setAttribute( "data_float", $data );
$contentObjectAttribute->setAttribute( 'data_text', $data_text );
return true;
}
}
Steps to reproduce
1. Create a new design
2. Override the edit template and remove the price attribute
3. Save a product
4. The data_text attribute of the price attribute now contains ',' instead of '<vatType>,<vatExInc>'