Openbravo Issue Tracking System - Retail Modules
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0035981Retail ModulesWeb POSpublic2017-05-12 09:152017-10-25 12:21
Reporterjonibc 
Assigned Tojorge-garcia 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionpiFixed in VersionRR18Q1 
Merge Request Status
Review Assigned Tomarvintm
OBNetwork customerOBPS
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0035981: [SERQA 2847] Buttons for customer and locations are not blocked in synchronized mode.
DescriptionButtons for customer and locations are not blocked in synchronized mode.
If the user click the button, it is possible to click it again, sending multiple requests.

A malicious user can block the whole server if thousands of requests are made.

It is reproducible in livebuilds.
Steps To Reproduce1.- Set "WebPOS Synchronized Mode" preference with value 'Y', check the selected flag.
2.- Login in the WebPOS.
3.- Open customer selection component.
4.- Insert some data for the customer.
5.- Click on Save button several times. It is possible to check in Chrome Developer Tools that several requests are done to the backend.

It is possible to reproduce the issue in address component:
1.- Set "WebPOS Synchronized Mode" preference with value 'Y', check the selected flag.
2.- Login in the WebPOS.
3.- Select a customer different from anonymous.
4.- Open the addresses component.
5.- Insert some data for the address,
6.- Click on Save button several times. It is possible to check in Chrome Developer Tools that several requests are done to the backend.
Proposed SolutionBlock the buttons once the user click them one time.

It would be nice to check if we have the same behavior in other buttons.
Additional Information
TagsNo tags attached.
Relationships
related to defect 0036275 closed ranjith_qualiantech_com [SERQA 3022] Error callback not done in runSyncProcess (PostCustomerSave hook) 
related to defect 0036701 closed jorge-garcia [SERQA 3212] EnableButtonsCallback is not done in cancellation of BeforeCustomerAddrSave hook 
related to defect 0037186 closed ranjith_qualiantech_com "Save" button blocked in Edit Customer window when pressed after leaving mandatory field empty 
Attached Filesdiff issue35981Posterminal17Q1.diff (11,494) 2017-10-23 17:47
https://issues.openbravo.com/file_download.php?file_id=11218&type=bug
Issue History
Date ModifiedUsernameFieldChange
2017-05-12 09:15jonibcNew Issue
2017-05-12 09:15jonibcAssigned To => Retail
2017-05-12 09:15jonibcOBNetwork customer => Yes
2017-05-12 09:15jonibcResolution time => 1495836000
2017-05-12 09:15jonibcTriggers an Emergency Pack => No
2017-05-12 10:35jonibcDescription Updatedbug_revision_view_page.php?rev_id=15155#r15155
2017-05-12 10:35jonibcProposed Solution updated
2017-05-19 09:53jorge-garciaStatusnew => scheduled
2017-05-19 09:53jorge-garciaAssigned ToRetail => jorge-garcia
2017-05-24 08:39hgbotCheckin
2017-05-24 08:39hgbotNote Added: 0096737
2017-05-24 08:39hgbotStatusscheduled => resolved
2017-05-24 08:39hgbotResolutionopen => fixed
2017-05-24 08:39hgbotFixed in SCM revision => http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/c39c5cd6c40102c2dce7872c48da36e7f049657e [^]
2017-05-25 19:15marvintmNote Added: 0096820
2017-05-25 19:15marvintmStatusresolved => new
2017-05-25 19:15marvintmResolutionfixed => open
2017-05-25 19:17marvintmTypedesign defect => defect
2017-05-29 11:49jorge-garciaStatusnew => scheduled
2017-05-29 16:19hgbotCheckin
2017-05-29 16:19hgbotNote Added: 0096859
2017-05-29 16:35jorge-garciaStatusscheduled => resolved
2017-05-29 16:35jorge-garciaResolutionopen => fixed
2017-05-30 17:34marvintmReview Assigned To => marvintm
2017-05-30 17:34marvintmStatusresolved => closed
2017-05-30 17:34marvintmFixed in Version => RR17Q3
2017-06-19 17:15jonibcRelationship addedrelated to 0036275
2017-08-23 10:35jonibcRelationship addedrelated to 0036701
2017-10-23 09:44hgbotCheckin
2017-10-23 09:44hgbotNote Added: 0099983
2017-10-23 09:44hgbotStatusclosed => resolved
2017-10-23 09:44hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/c39c5cd6c40102c2dce7872c48da36e7f049657e [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/e27d059326bf32decf03adf2664d78fda697fccb [^]
2017-10-23 09:44hgbotCheckin
2017-10-23 09:44hgbotNote Added: 0099984
2017-10-23 09:44hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/e27d059326bf32decf03adf2664d78fda697fccb [^] => http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/c89293205f97843b892e530578e79b43e0b4d2df [^]
2017-10-23 17:47migueldejuanaFile Added: issue35981Posterminal17Q1.diff
2017-10-24 10:04migueldejuanaNote Added: 0100014
2017-10-25 12:21jorge-garciaNote Added: 0100052
2017-10-25 12:21jorge-garciaStatusresolved => closed
2017-10-25 12:21jorge-garciaFixed in VersionRR17Q3 => RR18Q1
2017-10-31 11:16ranjith_qualiantech_comRelationship addedrelated to 0037186

Notes
(0096737)
hgbot   
2017-05-24 08:39   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: c39c5cd6c40102c2dce7872c48da36e7f049657e
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Fri May 19 13:47:38 2017 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/c39c5cd6c40102c2dce7872c48da36e7f049657e [^]

Fixed issue 35981: [SERQA 2847] Buttons for customer and locations are not
blocked in synchronized mode.

The solution is to disable buttons of Save and Cancel during the synchronization
process, for both standard and synchronize flow.

Once the process is ended, the buttons are enable again.

Due to the code, it has been necessary to change also the data save process for
customer addresses.

---
M web/org.openbravo.retail.posterminal/js/data/datacustomeraddrsave.js
M web/org.openbravo.retail.posterminal/js/model/bplocation.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/components/sharedcomponents.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/editcreatecustomeraddress.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customers/components/sharedcomponents.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customers/editcreatecustomerform.js
---
(0096820)
marvintm   
2017-05-25 19:15   
There is a problem currently with the Address popup, and you may end up with the buttons permanently disabled:
- Click on address selector
- Click on button "New Address"
- Fill address form fields.
- Click on Save. Address is saved, and "Edit" orange button is shown.
- Click on Edit button.
- Click on Save button again.
- Click on Edit button again.
- Verify that Save and Cancel buttons are now disabled, and the only way to get them enabled again is to refresh browser.
(0096859)
hgbot   
2017-05-29 16:19   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: 6e7556bd0d9982ed6f9832720e89b7b325c54554
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Mon May 29 11:50:13 2017 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/6e7556bd0d9982ed6f9832720e89b7b325c54554 [^]

Related to issue 35981: [SERQA 2847] Buttons for customer and locations are not
blocked in synchronized mode.

Added missed callback to reactivate disabled buttons.

---
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/components/sharedcomponents.js
---
(0099983)
hgbot   
2017-10-23 09:44   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: e27d059326bf32decf03adf2664d78fda697fccb
Author: Miguel de Juana <miguel.dejuana <at> openbravo.com>
Date: Tue Oct 17 15:06:54 2017 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/e27d059326bf32decf03adf2664d78fda697fccb [^]

Fixed issue 0035981: [SERQA 2847] Buttons for customer and locations are not blocked in synchronized mode.

- Disable save button when the Save button is clicked. Earlier than we did. There are some hooks that can get time and allow the user to press again wrongly the Save button
- Add also double click check avoiding to press twice Save button

---
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/components/sharedcomponents.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/editcreatecustomeraddress.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customers/components/sharedcomponents.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customers/editcreatecustomerform.js
---
(0099984)
hgbot   
2017-10-23 09:44   
Repository: erp/pmods/org.openbravo.retail.posterminal
Changeset: c89293205f97843b892e530578e79b43e0b4d2df
Author: Miguel de Juana <miguel.dejuana <at> openbravo.com>
Date: Wed Oct 18 10:13:15 2017 +0200
URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.posterminal/rev/c89293205f97843b892e530578e79b43e0b4d2df [^]

Fixed issue 0035981: [SERQA 2847] Buttons for customer and locations are not blocked in synchronized mode.

- Reduce time window for double click from 1 second to 0,5 seconds. We can create a bp and immediately edit it. 0,5 is more accurate for a double click problem

---
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customeraddress/editcreatecustomeraddress.js
M web/org.openbravo.retail.posterminal/js/pointofsale/view/subwindows/customers/editcreatecustomerform.js
---
(0100014)
migueldejuana   
2017-10-24 10:04   
Last 2 commits are introduced in 18Q1. They just improve the fix done in 17Q3.
(0100052)
jorge-garcia   
2017-10-25 12:21   
Reviewed and tested.