Page 1 of 1

JSONAPI PATCH Basket returns err 500 - Invalid JSON in body

Posted: 17 Apr 2018, 14:46
by sixbynine
Hello,

I tried to patch a basket with the JSONAPI as described in https://aimeos.org/docs/Developers/Clie ... age_basket and it was not working (returning error 500 - Invalid JSON in body).

I needed to add some small changes to make it work.
I share it with you.
Can you confirm that what I made is correct?

Code: Select all

var data = {data: [{
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)
    }
}]};
 
var url = response.links.self.href; // from basket response
 
if(response['meta']['csrf']) { // add CSRF token if available and therefore required
    var csrf = {};
    csrf[response['meta']['csrf']['name']] = response['meta']['csrf']['value']; 
    url += (url.indexOf('?') === -1 ? '?' : '&') + $.param(csrf);
}
 
$.ajax({
    url: url, // returned from OPTIONS request
    method: "PATCH",
    dataType: "json",
    data: data
}).done( function( result ) {
    console.log( result.data );
});
had to be changed to :

Code: Select all

var data = {data: {
    attributes: {
        "order.base.customerid": response[0]['id'], // from customer response (optional)
        "order.base.status": 1, // optional
        "order.base.comment": "test" // (optional)
    }
}};

and

Code: Select all

 data: JSON.stringify(data)

to pass the test in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L136)

Code: Select all

 if( ( $payload = json_decode( $body ) ) === null || !isset( $payload->data->attributes ) ) 
At that point the new customerid was still not returned in the response.

in ai-client-jsonapi/client/jsonapi/src/Client/JsonApi/Basket/Standard.php (L142)

Code: Select all

      if( isset( $payload->data->attributes->{'order.base.customerid'} ) ) {
				$basket->setCustomerId( $payload->data->attributes->{'order.base.customerid'} );
			}
had to be added to return the basket with the new customerid.

Is this correct?

Note : I don't know how to update the status.

Thank you a lot,

sbn

Re: JSONAPI PATCH Basket returns err 500 - Invalid JSON in b

Posted: 20 Apr 2018, 10:28
by sixbynine
Actually, this change doesn't work as expected at the end... The first basket reponse after the PATCH request returns a response with a correct new customerid but the next POST request to save the basket overwrites the customerid with the current session's one... so the final order is not linked to the expected new customerid but to the current admin account logged.

I guess it comes from this line in the store() basket function :

$basket->setCustomerId( (string) $context->getUserId() );

What would be the best and the safest way to authorize an admin account to add an order to another customer id than himself?

Thank you a lot,

sbn

Re: JSONAPI PATCH Basket returns err 500 - Invalid JSON in b

Posted: 21 Apr 2018, 12:20
by aimeos
Setting the customer ID in the frontend controller is explicitely done to prevent attackers from creating orders for others - especially using the JSON REST API. I guest, you want to enable editors to add orders for customers in the admin backend. Using the JSON REST API is OK up to the order step but storing the order has to be done in the JQAdm class where Aimeos has full control over what happens.

If you are implementing the feature described, we would love to add it to the core if you create a pull request :-)