How to configure and adapt Aimeos based shops as developer
Forum rules: Always add your Aimeos and PHP version as well as your environment (Linux/Mac/Win)
#6042 by sixbynine
17 Apr 2018, 14:46

I tried to patch a basket with the JSONAPI as described in ... age_basket and it was not working (returning error 500 - Invalid JSON in body).

I needed to add some small changes to make it work.
I share it with you.
Can you confirm that what I made is correct?

Code: Select allvar data = {data: [{
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)
var url = response.links.self.href; // from basket response
if(response['meta']['csrf']) { // add CSRF token if available and therefore required
    var csrf = {};
    csrf[response['meta']['csrf']['name']] = response['meta']['csrf']['value'];
    url += (url.indexOf('?') === -1 ? '?' : '&') + $.param(csrf);
    url: url, // returned from OPTIONS request
    method: "PATCH",
    dataType: "json",
    data: data
}).done( function( result ) {
    console.log( );

had to be changed to :

Code: Select allvar data = {data: {
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)


Code: Select all data: JSON.stringify(data)

to pass the test in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L136)

Code: Select all if( ( $payload = json_decode( $body ) ) === null || !isset( $payload->data->attributes ) )

At that point the new customerid was still not returned in the response.

in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L142)

Code: Select all      if( isset( $payload->data->attributes->{'order.base.customerid'} ) ) {
            $basket->setCustomerId( $payload->data->attributes->{'order.base.customerid'} );

had to be added to return the basket with the new customerid.

Is this correct?

Note : I don't know how to update the status.

Thank you a lot,

#6063 by sixbynine
20 Apr 2018, 10:28
Actually, this change doesn't work as expected at the end... The first basket reponse after the PATCH request returns a response with a correct new customerid but the next POST request to save the basket overwrites the customerid with the current session's one... so the final order is not linked to the expected new customerid but to the current admin account logged.

I guess it comes from this line in the store() basket function :

$basket->setCustomerId( (string) $context->getUserId() );

What would be the best and the safest way to authorize an admin account to add an order to another customer id than himself?

Thank you a lot,

#6068 by aimeos
21 Apr 2018, 12:20
Setting the customer ID in the frontend controller is explicitely done to prevent attackers from creating orders for others - especially using the JSON REST API. I guest, you want to enable editors to add orders for customers in the admin backend. Using the JSON REST API is OK up to the order step but storing the order has to be done in the JQAdm class where Aimeos has full control over what happens.

If you are implementing the feature described, we would love to add it to the core if you create a pull request :-)