# HG changeset patch
# User Víctor Martínez Romanos <victor.martinez@openbravo.com>
# Date 1451385154 -3600
#      Tue Dec 29 11:32:34 2015 +0100
# Node ID 0f2f9ebaeb234937c883a903dd939d78254dd313
# Parent  efa3da8d66bd88b2a114277ad6221c1256d7f051
Fixed bug 31580: code review improvements
Properly passing parameter to the HQL query
Force to check client+org when using admin mode

diff --git a/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_Utility.java b/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_Utility.java
--- a/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_Utility.java
+++ b/modules/org.openbravo.advpaymentmngt/src/org/openbravo/advpaymentmngt/utility/FIN_Utility.java
@@ -1357,15 +1357,15 @@
 
     List<String> pdList = null;
 
-    OBContext.setAdminMode();
+    OBContext.setAdminMode(true);
     try {
       final StringBuilder whereClause = new StringBuilder();
       whereClause.append(" select pd." + FIN_PaymentDetail.PROPERTY_ID);
       whereClause.append(" from " + FIN_PaymentDetail.ENTITY_NAME + " as pd");
       whereClause.append(" left join pd." + FIN_PaymentDetail.PROPERTY_FINPAYMENTSCHEDULEDETAILLIST
           + " as psd");
-      whereClause.append(" where pd." + FIN_PaymentDetail.PROPERTY_FINPAYMENT + ".id = '"
-          + paymentId + "'");
+      whereClause
+          .append(" where pd." + FIN_PaymentDetail.PROPERTY_FINPAYMENT + ".id = :paymentId ");
       whereClause.append(" and pd." + FIN_PaymentDetail.PROPERTY_ACTIVE + " = true");
       whereClause.append(" order by psd."
           + FIN_PaymentScheduleDetail.PROPERTY_INVOICEPAYMENTSCHEDULE);
@@ -1373,6 +1373,7 @@
           + FIN_PaymentScheduleDetail.PROPERTY_ORDERPAYMENTSCHEDULE + ",'0')");
 
       Query query = OBDal.getInstance().getSession().createQuery(whereClause.toString());
+      query.setParameter("paymentId", paymentId);
       pdList = query.list();
 
     } finally {