ecshop/OMS
1
0
Fork 0
mirror of https://gitee.com/ShopeX/OMS synced 2026-03-22 10:25:35 +08:00
Code Issues Packages Projects Releases Wiki Activity

pref: 优化操作员查看订单详情时--越权问题

Browse Source
This commit is contained in:
wangbiao
2026-02-05 15:32:14 +08:00
parent aa5a29833f
commit e3c3484681
1 changed files with 121 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

307
app/ome/lib/finder/orders.php
View File

@@ -22,14 +22,11 @@ class ome_finder_orders{
var $detail_basic = '基本信息';
var $detail_goods = '订单明细';
var $detail_pmt = '优惠方案';
// var $detail_service = '服务订单';
var $detail_bill = '收退款记录';
// var $detail_refund_apply = '退款申请记录';
var $detail_delivery = '发货记录';
var $detail_mark = '商家备注';
var $detail_abnormal = '订单异常备注';
var $detail_history = '订单操作记录';
//var $detail_aftersale = '售后记录';
var $detail_custom_mark = '客户备注';
var $detail_shipment = '发货日志';
var $detail_prodcut_store = '库存明细';
@@ -37,21 +34,11 @@ class ome_finder_orders{
var $detail_freeze = '订单冻结流水';
function __construct(){
if(($_GET['ctl'] == 'admin_order'
&& ($_GET['act'] == 'confirm' || $_GET['act'] == 'index' || $_GET['flt'] == 'buffer' || $_GET['flt'] == 'assigned'))
|| $_GET['ctl']=='admin_order_lack'){
if($_GET['act'] == 'index' || $_GET['act'] == 'confirm' || $_GET['act'] == 'pending' || $_GET['act'] == 'processed'){
//nothing
}else{
unset($this->column_confirm);
}
//剔除复审操作按扭
if($_GET['ctl'] == 'admin_order' && $_GET['act'] == 'retrial'){
//nothing
}else{
unset($this->column_abnormal_status);
unset($this->column_mark_text);
}
}
function detail_basic($order_id){
@@ -59,6 +46,31 @@ class ome_finder_orders{
$oOrders = app::get('ome')->model('orders');
$oOperation_log = app::get('ome')->model('operation_log');
// order_id
$order_id = intval($order_id);
if (!empty($_POST) && isset($_POST['order']['order_id'])) {
if($_POST['order']['order_id']){
$order_id = $_POST['order']['order_id'];
}else{
$order_id = 0;
}
}
// filter
$base_filter = array('order_id'=>$order_id);
//check shop permission
$organization_permissions = kernel::single('desktop_user')->get_organization_permission();
if($organization_permissions){
$base_filter['org_id'] = $organization_permissions;
}
$order_detail = $oOrders->dump($base_filter,"*",array("order_items"=>array("*")));
if(empty($order_detail)){
$error_msg = '订单不存在,或者账号无权访问该订单';
return '<div style="padding:16px;color:#c00;">' . htmlspecialchars($error_msg, ENT_QUOTES, 'UTF-8') . '</div>';
}
if($_POST){
if($_POST['is_flag']){
//开票提交业务处理
@@ -71,16 +83,6 @@ class ome_finder_orders{
switch($_POST['order_action']){
case "cancel" :
$memo = "订单被取消";
/***
* 代码已不使用
*
* TODO: 订单取消作为单独的日志记录
$oOrders->unfreez($order_id);
$oOrders->cancel_delivery($order_id);
$oOperation_log->write_log('order_modify@ome',$order_id,$memo);
*
***/
break;
case "order_limit_time" :
$plainData = $_POST['order'];
@@ -151,7 +153,7 @@ class ome_finder_orders{
//写操作日志
}
$order_detail = $oOrders->dump($order_id,"*",array("order_items"=>array("*")));
// 判断是否加密
$order_detail['is_encrypt'] = kernel::single('ome_security_router',$order_detail['shop_type'])->show_encrypt($order_detail, 'order');
$invoiceMdl = app::get('ome')->model('order_invoice');
@@ -337,7 +339,6 @@ class ome_finder_orders{
return $render->fetch('admin/order/detail_basic.html');
}
//开票提交显示
//开票提交显示
private function submit_invoice_show(&$order_detail){
//发票相关 获取是否有订单相关的发票信息 有的话取最新一条发票信息
@@ -419,10 +420,29 @@ class ome_finder_orders{
$render = app::get('ome')->render();
$oOrder = app::get('ome')->model('orders');
// order_id
$order_id = intval($order_id);
// filter
$base_filter = array('order_id'=>$order_id);
//check shop permission
$organization_permissions = kernel::single('desktop_user')->get_organization_permission();
if($organization_permissions){
$base_filter['org_id'] = $organization_permissions;
}
// orderInfo
$orders = $oOrder->getRow($base_filter,'order_id,shop_type,order_source,process_status,settlement_amount');
if(empty($orders)){
$error_msg = '订单不存在,或者账号无权访问该订单明细';
return '<div style="padding:16px;color:#c00;">' . htmlspecialchars($error_msg, ENT_QUOTES, 'UTF-8') . '</div>';
}
$item_list = $oOrder->getItemList($order_id,true);
$item_list = ome_order_func::add_getItemList_colum($item_list);
ome_order_func::order_sdf_extend($item_list);
$orders = $oOrder->getRow(array('order_id'=>$order_id),'order_id,shop_type,order_source,process_status');
$is_consign = false;
//淘宝代销订单增加代销价
@@ -636,8 +656,25 @@ class ome_finder_orders{
$oOrder_pmt = app::get('ome')->model('order_pmt');
$ordersObj = app::get('ome')->model('orders');
// order_id
$order_id = intval($order_id);
// filter
$base_filter = array('order_id'=>$order_id);
//check shop permission
$organization_permissions = kernel::single('desktop_user')->get_organization_permission();
if($organization_permissions){
$base_filter['org_id'] = $organization_permissions;
}
//订单信息
$orderInfo = $ordersObj->dump(array('order_id'=>$order_id), 'order_bn,shop_type,api_version');
$orderInfo = $ordersObj->dump($base_filter, 'order_bn,shop_type,api_version');
if(empty($orderInfo)){
$error_msg = '订单不存在,或者账号无权访问该订单优惠信息';
return '<div style="padding:16px;color:#c00;">' . htmlspecialchars($error_msg, ENT_QUOTES, 'UTF-8') . '</div>';
}
$render->pagedata['orderInfo'] = $orderInfo;
//优惠券信息
@@ -770,13 +807,33 @@ class ome_finder_orders{
$oReship = app::get('ome')->model('reship');
$oWms_delivery = app::get('wms')->model('delivery');
$obj_order = app::get('ome')->model('orders');
// order_id
$order_id = intval($order_id);
// filter
$base_filter = array('order_id'=>$order_id);
//check shop permission
$organization_permissions = kernel::single('desktop_user')->get_organization_permission();
if($organization_permissions){
$base_filter['org_id'] = $organization_permissions;
}
// orderInfo
$orderInfo = $obj_order->dump($order_id, '*');
if(empty($orderInfo)){
$error_msg = '订单不存在,或者账号无权访问该订单发货信息';
return '<div style="padding:16px;color:#c00;">' . htmlspecialchars($error_msg, ENT_QUOTES, 'UTF-8') . '</div>';
}
$wms_delivery = $oWms_delivery->getDeliveryByOrder($order_id);
$oBranch = app::get('ome')->model('branch');
$delivery = $oDelivery->getDeliveryByOrder('branch_id,create_time,delivery_id,delivery_bn,logi_id,logi_no,logi_name,ship_name,delivery,branch_id,stock_status,deliv_status,expre_status,status,weight',$order_id);
$reship = $oReship->getList('t_begin,reship_id,reship_bn,logi_no,ship_name,delivery',array('order_id'=>$order_id));
$wms_id = kernel::single('wms_branch')->getBranchByselfwms();
$order_info = $obj_order->dump($order_id,'order_bn');
#检测是否开启华强宝物流
$is_hqepay_on = app::get('ome')->getConf('ome.delivery.hqepay');
if($is_hqepay_on == 'false'){
@@ -806,7 +863,7 @@ class ome_finder_orders{
//获取京东物流包裹明细
$deliveryPackage = $this->getOrderDeliveryPackage($order_id);
$render->pagedata['order_bn'] = $order_info['order_bn'];
$render->pagedata['order_bn'] = $orderInfo['order_bn'];
$render->pagedata['is_hqepay_on'] = $is_hqepay_on;
$render->pagedata['delivery'] = $delivery;
$render->pagedata['wms_delivery'] = $wms_delivery;
@@ -919,9 +976,9 @@ class ome_finder_orders{
$oldmemo= unserialize($oldmemo['mark_text']);
$op_name = kernel::single('desktop_user')->get_name();
if ($oldmemo)
foreach($oldmemo as $k=>$v){
$memo[] = $v;
}
foreach($oldmemo as $k=>$v){
$memo[] = $v;
}
$newmemo = htmlspecialchars($_POST['order']['mark_text']);
$newmemo = array('op_name'=>$op_name, 'op_time'=>date('Y-m-d H:i:s',time()), 'op_content'=>$newmemo);
$memo[] = $newmemo;
@@ -1091,7 +1148,7 @@ class ome_finder_orders{
function detail_shipment($order_id) {
$render = app::get('ome')->render();
$orderObj = app::get('ome')->model('orders');
$shipmentObj = & app::get('ome')->model('shipment_log');
$shipmentObj = app::get('ome')->model('shipment_log');
$userObj = app::get('desktop')->model('users');
$order = $orderObj->dump($order_id);
@@ -1136,14 +1193,6 @@ class ome_finder_orders{
return $render->fetch('admin/order/detail_shipment.html');
}
/*function detail_aftersale($order_id){
$render = app::get('ome')->render();
$oReturn = app::get('ome')->model('return_product');
$return = $oReturn->Get_aftersale_list($order_id);
$render->pagedata['return'] = $return;
return $render->fetch('admin/order/detail_aftersale.html');
}*/
var $addon_cols = "print_status,confirm,dt_begin,status,process_status,tax_no,ship_status,op_id,group_id,mark_text,auto_status,custom_mark,mark_type,tax_company,createtime,paytime,sync,pay_status,is_cod,source,order_type,order_bool_type,timing_confirm,shop_type,tostr,itemnum,delivery_time,abnormal_status,shipping,order_source,is_delivery,step_trade_status";
var $column_confirm='操作';
var $column_confirm_width = "120";
@@ -1200,7 +1249,7 @@ class ome_finder_orders{
$result = '';
$order_id = $row['order_id'];
switch ($row['_0_sync']) {
switch ($row[$this->col_prefix.'sync']) {
case 'none':
$result = "<a href='index.php?app=ome&ctl=admin_consign&act=do_sync&p[0]={$order_id}&finder_id=$find_id' target='download'>发货</a>";
break;
@@ -1515,13 +1564,6 @@ EOF;
return $difftime['d'] . '天' . $difftime['h'] . '小时' . $difftime['m'] . '分';
}
/**
* 获取ViewPanel
* @param mixed $color color
* @param mixed $msg msg
* @param mixed $title title
* @return mixed 返回结果
*/
public function getViewPanel($color, $msg, $title) {
return sprintf("<div onmouseover='bindFinderColTip(event)' rel='%s' style='width:18px;padding:2px;height:16px;background-color:%s;float:left;color:#ffffff;'>&nbsp;%s&nbsp;</div>", $msg, $color, $title);
@@ -1534,21 +1576,15 @@ EOF;
function column_print_status($row) {
$stockColor = (($row['_0_print_status'] & 0x02) == 0x02) ? 'green' : '#eeeeee';
$delivColor = (($row['_0_print_status'] & 0X04) == 0X04) ? 'red' : '#eeeeee';
$expreColor = (($row['_0_print_status'] & 0x01) == 0x01) ? 'gold' : '#eeeeee';
$stockColor = (($row[$this->col_prefix.'print_status'] & 0x02) == 0x02) ? 'green' : '#eeeeee';
$delivColor = (($row[$this->col_prefix.'print_status'] & 0X04) == 0X04) ? 'red' : '#eeeeee';
$expreColor = (($row[$this->col_prefix.'print_status'] & 0x01) == 0x01) ? 'gold' : '#eeeeee';
$ret = $this->_getViewPanel('备货单', $stockColor);
$ret .= $this->_getViewPanel('发货单', $delivColor);
$ret .= $this->_getViewPanel('快递单', $expreColor);
return $ret;
}
/**
* _getViewPanel
* @param mixed $caption caption
* @param mixed $color color
* @return mixed 返回值
*/
public function _getViewPanel($caption, $color) {
if ($color == '#eeeeee')
$caption .= '未打印';
@@ -1591,68 +1627,6 @@ EOF;
return date('Y-m-d H:i:s', $timeConfirm);
}
var $column_abnormal_status = '复审操作';
var $column_abnormal_status_width = '110';
var $column_abnormal_status_order = '10';
function column_abnormal_status($row)
{
$find_id = $_GET['_finder']['finder_id'];
$order_id = $row['order_id'];
//不是复审订单,直接返回
if($row[$this->col_prefix.'process_status'] != 'is_retrial'){
return '';
}
$sql = "SELECT id, retrial_type, status FROM ".DB_PREFIX."ome_order_retrial WHERE order_id='".$order_id."' AND status in('0', '2') ORDER BY dateline DESC";
$result = kernel::database()->select($sql);
$str = '<a href="index.php?app=ome&ctl=admin_order&act=view_edit&p[0]='.$order_id.'&finder_id='.$find_id.'&oldsource=active" target="_blank">编辑</a>';
if($result[0]['status'] == '2' && $result[0]['retrial_type'] == 'normal')
{
return $str.' | <a href="index.php?app=ome&ctl=admin_order&act=retrial_rollback&p[0]='.$order_id.'&finder_id='.$find_id.'&oldsource=retrial" target="_blank" style="color:red;">恢复原订单</a>';
}
elseif($result[0]['status'] == '2')
{
return $str.'<span style="color:#999">(价格复审)</span>';
}
else
{
return '<span style="color:#999">未审核</span>';
}
}
var $column_mark_text = '复审备注';
var $column_mark_text_width = '130';
var $column_mark_text_order = '15';
function column_mark_text($row)
{
$order_id = $row['order_id'];
//不是复审订单,直接返回
if($row[$this->col_prefix.'process_status'] != 'is_retrial'){
return '';
}
$sql = "SELECT id, remarks, lastdate FROM ".DB_PREFIX."ome_order_retrial WHERE order_id='".$order_id."' AND status in('0', '2') ORDER BY dateline DESC";
$result = kernel::database()->select($sql);
$html = strip_tags(htmlspecialchars($result[0]['remarks']));
return "<div onmouseover='bindFinderColTip(event)' rel='".$html.' by '.date('Y-m-d H:i:s', $result[0]['lastdate'])."'>".$html."<div>";
}
// function detail_service($order_id){
// $render = app::get('ome')->render();
// $serviceObj = app::get('ome')->model('order_service');
// $service_list = $serviceObj->getList('*',array('order_id'=>$order_id));
// $render->pagedata['service_list'] = $service_list;
// return $render->fetch('admin/order/detail_service.html');
// }
var $column_order_combined_confirm = '已合并审单';
var $column_order_combined_confirm_width = "60";
function column_order_combined_confirm($row) {
@@ -1696,12 +1670,6 @@ EOF;
public $column_push_time = '推单时间';
public $column_push_time_width = '120';
/**
* column_push_time
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_push_time($row, $list) {
$extend = $this->__getOrderExtend($list);
$time = $extend[$row['order_id']]['push_time'];
@@ -1724,12 +1692,6 @@ EOF;
public $column_collect_time = '揽收时间';
public $column_collect_time_width = '120';
/**
* column_collect_time
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_collect_time($row, $list) {
$extend = $this->__getOrderExtend($list);
$time = $extend[$row['order_id']]['collect_time'];
@@ -1738,12 +1700,6 @@ EOF;
}
public $column_added_serivces = '增值服务';
/**
* column_added_serivces
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_added_serivces($row, $list){
$extend = $this->__getOrderExtend($list);
$img = '';
@@ -1781,12 +1737,6 @@ EOF;
public $column_latest_delivery_time = '最晚发货时间';
public $column_latest_delivery_time_width = '120';
/**
* column_latest_delivery_time
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_latest_delivery_time($row, $list) {
$extend = $this->__getOrderExtend($list);
$time = $extend[$row['order_id']]['latest_delivery_time'];
@@ -1813,12 +1763,6 @@ EOF;
public $column_promised_collect_time = '承诺最晚揽收时间';
public $column_promised_collect_time_width = '120';
/**
* column_promised_collect_time
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_promised_collect_time($row, $list) {
$extend = $this->__getOrderExtend($list);
$time = $extend[$row['order_id']]['promised_collect_time'];
@@ -1827,12 +1771,6 @@ EOF;
public $column_promised_sign_time = '承诺最晚送达时间';
public $column_promised_sign_time_width = '120';
/**
* column_promised_sign_time
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_promised_sign_time($row, $list) {
$extend = $this->__getOrderExtend($list);
$time = $extend[$row['order_id']]['promised_sign_time'];
@@ -1844,12 +1782,6 @@ EOF;
public $column_order_label = '订单标记';
public $column_order_label_width = 260;
public $column_order_label_order = 30;
/**
* column_order_label
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_order_label($row, $list)
{
$order_id = $row['order_id'];
@@ -1927,12 +1859,6 @@ EOF;
public $column_delivery_errormsg = '发货失败信息';
public $column_delivery_errormsg_width = 300;
public $column_delivery_errormsg_order = 99;
/**
* column_delivery_errormsg
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_delivery_errormsg($row, $list)
{
//不是已发货状态,直接返回
@@ -2016,11 +1942,6 @@ EOF;
return kernel::single('ome_preprocess_const')->getBoolTypeIdentifier($row[$this->col_prefix.'abnormal_status'], $row[$this->col_prefix.'shop_type']);
}
/**
* detail_prodcut_store
* @param mixed $order_id ID
* @return mixed 返回值
*/
public function detail_prodcut_store($order_id)
{
$render = app::get('ome')->render();
@@ -2081,11 +2002,6 @@ EOF;
return $render->fetch('admin/order/detail_product_store.html');
}
/**
* detail_freeze
* @param mixed $order_id ID
* @return mixed 返回值
*/
public function detail_freeze($order_id)
{
$render = app::get('ome')->render();
@@ -2372,12 +2288,6 @@ EOF;
var $column_promise_service = '物流服务标签';
var $column_promise_service_width = 320;
/**
* column_promise_service
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_promise_service($row, $list)
{
$extend = $this->__getOrderExtend($list);
@@ -2406,12 +2316,6 @@ EOF;
var $column_shipping_name = '配送方式';
var $column_shipping_name_width = 120;
var $column_shipping_name_order = 35;
/**
* column_shipping_name
* @param mixed $row row
* @param mixed $list list
* @return mixed 返回值
*/
public function column_shipping_name($row, $list)
{
$shipping_code = $row[$this->col_prefix.'shipping'];
@@ -2453,8 +2357,24 @@ EOF;
$logiLib = kernel::single('logisticsmanager_waybill_pdd');
//订单信息
$orderInfo = $orderMdl->dump($order_id);
// order_id
$order_id = intval($order_id);
// filter
$base_filter = array('order_id'=>$order_id);
//check shop permission
$organization_permissions = kernel::single('desktop_user')->get_organization_permission();
if($organization_permissions){
$base_filter['org_id'] = $organization_permissions;
}
// orderInfo
$orderInfo = $orderMdl->dump($base_filter, '*');
if(empty($orderInfo)){
$error_msg = '订单不存在,或者账号无权访问该订单平台建议信息';
return '<div style="padding:16px;color:#c00;">' . htmlspecialchars($error_msg, ENT_QUOTES, 'UTF-8') . '</div>';
}
//订单明细信息
$orderObjList = $orderObjMdl->getList('*', array('order_id'=>$order_id));
@@ -2560,7 +2480,6 @@ EOF;
}
}
return $epList[$order_bn];
}
}