# HG changeset patch # User Mario Castello # Date 1475526390 21600 # lun oct 03 14:26:30 2016 -0600 # Node ID 8d9078777883419d9ab14d882bb0c2e0ae326f61 # Parent f5659c6426a1c7709be95d2d41c7d4edc75ee0bf Fixed issue 34089: Added a correct validation to prevent wrong results. Prevent SQL injection. diff --git a/src/org/openbravo/retail/stockvalidation/OrderFromQuotationStockChecker.java b/src/org/openbravo/retail/stockvalidation/OrderFromQuotationStockChecker.java --- a/src/org/openbravo/retail/stockvalidation/OrderFromQuotationStockChecker.java +++ b/src/org/openbravo/retail/stockvalidation/OrderFromQuotationStockChecker.java @@ -40,10 +40,12 @@ String hqlQuery = "select sum(ms.quantityOnHand) as qtyonhand " + "from MaterialMgmtStorageDetail ms " + "where ms.storageBin.warehouse.id in (" + "SELECT ow.warehouse.id " + "FROM OrganizationWarehouse as ow " + "WHERE " - + "ow.organization.id = '" + orgId + "') " + "and ms.product.id = '" + productId + "'"; + + "ow.organization.id = :orgId) and ms.product.id = :productId "; final Session session = OBDal.getInstance().getSession(); final Query query = session.createQuery(hqlQuery); + query.setString("orgId", orgId); + query.setString("productId", productId); if (query.uniqueResult() != null) { unitsFound = new BigDecimal(query.uniqueResult().toString()); @@ -51,9 +53,7 @@ unitsFound = BigDecimal.ZERO; } - if (unitsFound.compareTo(qtyToBuy) >= 0) { - allowSell = true; - } + allowSell = unitsFound.compareTo(qtyToBuy) >= 0; JSONObject preFinalResult = new JSONObject(); preFinalResult.put("allowSell", allowSell); diff --git a/web/org.openbravo.retail.stockvalidation/js/modals.js b/web/org.openbravo.retail.stockvalidation/js/modals.js --- a/web/org.openbravo.retail.stockvalidation/js/modals.js +++ b/web/org.openbravo.retail.stockvalidation/js/modals.js @@ -124,9 +124,7 @@ if (curLine.availableQty <= 0) { me.model.get('order').deleteLine(me.model.get('order').get('lines').at(curLine.index)); } else { - me.model.get('order').get('lines').at(curLine.index).set('qty', curLine.availableQty, { - silent: true - }); + me.model.get('order').get('lines').at(curLine.index).set('qty', curLine.availableQty); } }, this); }, @@ -146,9 +144,7 @@ if (curLine.availableQty <= 0) { me.model.get('order').deleteLine(me.model.get('order').get('lines').at(curLine.index)); } else { - me.model.get('order').get('lines').at(curLine.index).set('qty', curLine.availableQty, { - silent: true - }); + me.model.get('order').get('lines').at(curLine.index).set('qty', curLine.availableQty); } }, this); } @@ -167,16 +163,16 @@ if (!OB.MobileApp.model.hasPermission('OBPOSSV_EnableStockValidation', true)) { return; } - if (!addedModel.get('product').get('stocked') || addedModel.get('qty') < 0 || this.model.get('order').get('orderType') === 1 || this.model.get('order').get('isPaid') === true || this.model.get('order').get('isQuotation') === true) { - return; - } - executeCallToServer(addedModel); addedModel.on('change:qty', function (changedModel) { if (!addedModel.get('product').get('stocked') || addedModel.get('qty') < 0 || this.model.get('order').get('orderType') === 1 || this.model.get('order').get('isPaid') === true || this.model.get('order').get('isQuotation') === true) { return; } executeCallToServer(changedModel); }, this); + if (!addedModel.get('product').get('stocked') || addedModel.get('qty') < 0 || this.model.get('order').get('orderType') === 1 || this.model.get('order').get('isPaid') === true || this.model.get('order').get('isQuotation') === true) { + return; + } + executeCallToServer(addedModel); }, this); this.model.get('order').on('orderCreatedFromQuotation', function () {