Auftrags-Controller: PDF-Download: nur Dateien aus session_files erlauben.

[mfinanz.git] / SL / Controller / Order.pm

diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm
index bd20669ac509beab42516ef9a35861b33a735c89..1878cc7a2681bfaf5b38680b4de261fa56bd3bdf 100644 (file)
--- a/SL/Controller/Order.pm
+++ b/SL/Controller/Order.pm
@@ -25,6 +25,7 @@ use SL::Helper::CreatePDF qw(:all);
 use List::Util qw(max first);
 use List::MoreUtils qw(none pairwise);
 use English qw(-no_match_vars);
+use File::Spec;
 
 use Rose::Object::MakeMethods::Generic
 (
@@ -119,8 +120,9 @@ sub action_create_pdf {
   $sfile->fh->print($pdf);
   $sfile->fh->close;
 
-  my $tmp_filename = $sfile->file_name;
-  my $pdf_filename = t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf';
+  # get temporary session filename with stripped path
+  my (undef, undef, $tmp_filename) = File::Spec->splitpath($sfile->file_name);
+  my $pdf_filename =  t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf';
 
   $self->js
     ->run('download_pdf', $tmp_filename, $pdf_filename)
@@ -130,8 +132,11 @@ sub action_create_pdf {
 sub action_download_pdf {
   my ($self) = @_;
 
+  # given tmp_filename should contain no path, so strip if any
+  my (undef, undef, $tmp_filename) = File::Spec->splitpath($::form->{tmp_filename});
+  my $tmp_filename = File::Spec->catfile(SL::SessionFile->new->get_path, $tmp_filename);
   return $self->send_file(
-    $::form->{tmp_filename},
+    $tmp_filename,
     type => 'application/pdf',
     name => $::form->{pdf_filename},
   );
@@ -490,6 +495,13 @@ sub _get_unalterable_data {
       #$item->active_price_source('');
       #$item->active_discount_source('');
     }
+
+    # autovivify all cvars that are not in the form (cvars_by_config can do it).
+    # workaround to pre-parse number-cvars (parse_custom_variable_values does not parse number values).
+    foreach my $var (@{ $item->cvars_by_config }) {
+      $var->unparsed_value($::form->parse_amount(\%::myconfig, $var->{__unparsed_value})) if ($var->config->type eq 'number' && exists($var->{__unparsed_value}));
+    }
+    $item->parse_custom_variable_values;
   }
 }
 
@@ -497,11 +509,6 @@ sub _get_unalterable_data {
 sub _save {
   my ($self) = @_;
 
-  # autovivify all cvars that are not in the form (cvars_by_config can do it)
-  foreach my $item (@{ $self->order->items }) {
-    $item->cvars_by_config;
-  }
-
   my $errors = [];
   my $db = $self->order->db;