JSONAPI PATCH Basket returns err 500 - Invalid JSON in body

How to configure and adapt Aimeos based shops as developer
Forum rules
Always add your Aimeos and PHP version as well as your environment (Linux/Mac/Win)
Spam and unrelated posts will be removed immediately!
sixbynine
Posts: 93
Joined: 10 Jan 2018, 11:22

JSONAPI PATCH Basket returns err 500 - Invalid JSON in body

Post by sixbynine » 17 Apr 2018, 14:46

Hello,

I tried to patch a basket with the JSONAPI as described in https://aimeos.org/docs/Developers/Clie ... age_basket and it was not working (returning error 500 - Invalid JSON in body).

I needed to add some small changes to make it work.
I share it with you.
Can you confirm that what I made is correct?

Code: Select all

var data = {data: [{
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)
    }
}]};
 
var url = response.links.self.href; // from basket response
 
if(response['meta']['csrf']) { // add CSRF token if available and therefore required
    var csrf = {};
    csrf[response['meta']['csrf']['name']] = response['meta']['csrf']['value']; 
    url += (url.indexOf('?') === -1 ? '?' : '&') + $.param(csrf);
}
 
$.ajax({
    url: url, // returned from OPTIONS request
    method: "PATCH",
    dataType: "json",
    data: data
}).done( function( result ) {
    console.log( result.data );
});
had to be changed to :

Code: Select all

var data = {data: {
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)
    }
}};

and

Code: Select all

 data: JSON.stringify(data)

to pass the test in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L136)

Code: Select all

 if( ( $payload = json_decode( $body ) ) === null || !isset( $payload->data->attributes ) ) 
At that point the new customerid was still not returned in the response.

in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L142)

Code: Select all

      if( isset( $payload->data->attributes->{'order.base.customerid'} ) ) {
				$basket->setCustomerId( $payload->data->attributes->{'order.base.customerid'} );
			}
had to be added to return the basket with the new customerid.

Is this correct?

Note : I don't know how to update the status.

Thank you a lot,

sbn

sixbynine
Posts: 93
Joined: 10 Jan 2018, 11:22

Re: JSONAPI PATCH Basket returns err 500 - Invalid JSON in b

Post by sixbynine » 20 Apr 2018, 10:28

Actually, this change doesn't work as expected at the end... The first basket reponse after the PATCH request returns a response with a correct new customerid but the next POST request to save the basket overwrites the customerid with the current session's one... so the final order is not linked to the expected new customerid but to the current admin account logged.

I guess it comes from this line in the store() basket function :

$basket->setCustomerId( (string) $context->getUserId() );

What would be the best and the safest way to authorize an admin account to add an order to another customer id than himself?

Thank you a lot,

sbn

User avatar
aimeos
Administrator
Posts: 7836
Joined: 01 Jan 1970, 00:00

Re: JSONAPI PATCH Basket returns err 500 - Invalid JSON in b

Post by aimeos » 21 Apr 2018, 12:20

Setting the customer ID in the frontend controller is explicitely done to prevent attackers from creating orders for others - especially using the JSON REST API. I guest, you want to enable editors to add orders for customers in the admin backend. Using the JSON REST API is OK up to the order step but storing the order has to be done in the JQAdm class where Aimeos has full control over what happens.

If you are implementing the feature described, we would love to add it to the core if you create a pull request :-)
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

Post Reply