From a3aa513f7773ffcb00a2d63fba11771bccef18f9 Mon Sep 17 00:00:00 2001
From: rGaillard <remi.gaillard@prestashop.com>
Date: Wed, 23 Nov 2011 10:01:22 +0000
Subject: [PATCH] // ajax process off adminaccess is now in the controller

---
 admin-dev/ajax.php                          |  82 ------
 admin-dev/themes/template/access/form.tpl   |  14 +-
 controllers/admin/AdminAccessController.php |  98 ++++++-
 controllers/admin/AdminCartsController.php  | 270 +++++++++++---------
 controllers/admin/AdminOrdersController.php |  25 +-
 5 files changed, 269 insertions(+), 220 deletions(-)

diff --git a/admin-dev/ajax.php b/admin-dev/ajax.php
index d557916ce..8abf8ddee 100644
--- a/admin-dev/ajax.php
+++ b/admin-dev/ajax.php
@@ -996,85 +996,3 @@ if (Tools::isSubmit('ajaxUpdateTaxRule'))
 	die(Tools::jsonEncode($output));
 }
 
-/* Update Access Tabs */
-if (Tools::isSubmit('submitAddAccess'))
-{
-	$perm = Tools::getValue('perm');
-	if (!in_array($perm, array('view', 'add', 'edit', 'delete', 'all')))
-		throw new PrestashopException('permission not exists');
-
-	$enabled = (int)Tools::getValue('enabled');
-	$id_tab = (int)Tools::getValue('id_tab');
-	$id_profile = (int)Tools::getValue('id_profile');
-	$res = true;
-
-	if ($id_tab == -1 && $perm == 'all' && $enabled == 0)
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'access`
-			SET `view` = '.$enabled.', `add` = '.$enabled.', `edit` = '.$enabled.', `delete` = '.$enabled.'
-			WHERE `id_profile` = '.(int)$id_profile.' AND `id_tab` != 31
-		');
-	else if ($id_tab == -1 && $perm == 'all')
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'access`
-			SET `view` = '.$enabled.', `add` = '.$enabled.', `edit` = '.$enabled.', `delete` = '.$enabled.'
-			WHERE `id_profile` = '.(int)$id_profile
-		);
-	else if ($id_tab == -1)
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'access`
-			SET `'.pSQL($perm).'` = '.$enabled.'
-			WHERE `id_profile` = '.(int)$id_profile
-		);
-	else if ($perm == 'all')
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'access`
-			SET `view` = '.$enabled.', `add` = '.$enabled.', `edit` = '.$enabled.', `delete` = '.$enabled.'
-			WHERE `id_tab` = '.(int)$id_tab.'
-				AND `id_profile` = '.(int)$id_profile
-		);
-	else
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'access`
-			SET `'.pSQL($perm).'` = '.$enabled.'
-			WHERE `id_tab` = '.(int)$id_tab.'
-				AND `id_profile` = '.(int)$id_profile
-		);
-	$res = $res?'ok':'error';
-	die($res);
-}
-
-/* Update Access Modules */
-if (Tools::isSubmit('changeModuleAccess'))
-{
-	$perm = Tools::getValue('perm');
-	$enabled = (int)Tools::getValue('enabled');
-	$id_module = (int)Tools::getValue('id_module');
-	$id_profile = (int)Tools::getValue('id_profile');
-	$res = true;
-
-	if (!in_array($perm, array('view', 'configure')))
-		throw new PrestashopException('permission not exists');
-
-	if ($id_module == -1)
-	{
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'module_access`
-			SET `'.pSQL($perm).'` = '.(int)$enabled.'
-			WHERE `id_profile` = '.(int)$id_profile
-		);
-	}
-	else
-	{
-		$res &= Db::getInstance()->execute('
-			UPDATE `'._DB_PREFIX_.'module_access`
-			SET `'.pSQL($perm).'` = '.(int)$enabled.'
-			WHERE `id_module` = '.(int)$id_module.'
-				AND `id_profile` = '.(int)$id_profile
-		);
-	}
-
-	$res = $res?'ok':'error';
-	die($res);
-}
-
diff --git a/admin-dev/themes/template/access/form.tpl b/admin-dev/themes/template/access/form.tpl
index 66c859480..26bc551bc 100644
--- a/admin-dev/themes/template/access/form.tpl
+++ b/admin-dev/themes/template/access/form.tpl
@@ -51,7 +51,7 @@
 			perfect_access_js_gestion(this, perm, id_tab, tabsize, tabnumber, table);
 			
 			$.ajax({
-				url: "ajax.php",
+				url: "{$link->getAdminLink('AdminAccess')}",
 				cache: false,
 				data : {
 					ajaxMode : '1',
@@ -59,7 +59,10 @@
 					id_profile: id_profile,
 					perm: perm,
 					enabled: enabled,
-					submitAddAccess: '1'
+					submitAddAccess: '1',
+					action: 'updateAccess',
+					ajax: '1',
+					token: '{getAdminToken tab='AdminAccess'}',
 				},
 				success : function(res,textStatus,jqXHR)
 				{
@@ -96,7 +99,7 @@
 				});
 
 			$.ajax({
-				url: "ajax.php",
+				url: "{$link->getAdminLink('AdminAccess')}",
 				cache: false,
 				data : {
 					ajaxMode: '1',
@@ -105,6 +108,9 @@
 					enabled: enabled,
 					id_profile: id_profile,
 					changeModuleAccess: '1',
+					action: 'updateModuleAccess',
+					ajax: '1',
+					token: '{getAdminToken tab='AdminAccess'}',
 				},
 				success : function(res,textStatus,jqXHR)
 				{
@@ -382,4 +388,4 @@
 		</div>
 
 	{/foreach}
-</form>
\ No newline at end of file
+</form>
diff --git a/controllers/admin/AdminAccessController.php b/controllers/admin/AdminAccessController.php
index c356eb9be..861f83803 100644
--- a/controllers/admin/AdminAccessController.php
+++ b/controllers/admin/AdminAccessController.php
@@ -69,7 +69,8 @@ class AdminAccessController extends AdminController
 			'admin_profile' => (int)_PS_ADMIN_PROFILE_,
 			'access_edit' => $this->tabAccess['edit'],
 			'perms' => array('view', 'add', 'edit', 'delete'),
-			'modules' => $modules
+			'modules' => $modules,
+			'link' => $this->context->link
 		);
 
 		return parent::initForm();
@@ -97,6 +98,99 @@ class AdminAccessController extends AdminController
 			'url_post' => self::$currentIndex.'&token='.$this->token,
 		));
 	}
+	
+	public function ajaxProcessUpdateAccess()
+	{
+		if ($this->tabAccess['edit'] != '1')
+			throw new PrestashopException(Tools::displayError('You do not have permission to edit here.'));
+			
+		if (Tools::isSubmit('submitAddAccess'))
+		{
+			$perm = Tools::getValue('perm');
+			if (!in_array($perm, array('view', 'add', 'edit', 'delete', 'all')))
+				throw new PrestashopException('permission not exists');
+
+			$enabled = (int)Tools::getValue('enabled');
+			$id_tab = (int)Tools::getValue('id_tab');
+			$id_profile = (int)Tools::getValue('id_profile');
+			$res = true;
+
+			if ($id_tab == -1 && $perm == 'all' && $enabled == 0)
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'access`
+					SET `view` = '.(int)$enabled.', `add` = '.(int)$enabled.', `edit` = '.(int)$enabled.', `delete` = '.(int)$enabled.'
+					WHERE `id_profile` = '.(int)$id_profile.' AND `id_tab` != 31
+				');
+			else if ($id_tab == -1 && $perm == 'all')
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'access`
+					SET `view` = '.(int)$enabled.', `add` = '.(int)$enabled.', `edit` = '.(int)$enabled.', `delete` = '.(int)$enabled.'
+					WHERE `id_profile` = '.(int)$id_profile
+				);
+			else if ($id_tab == -1)
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'access`
+					SET `'.bqSQL($perm).'` = '.(int)$enabled.'
+					WHERE `id_profile` = '.(int)$id_profile
+				);
+			else if ($perm == 'all')
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'access`
+					SET `view` = '.(int)$enabled.', `add` = '.(int)$enabled.', `edit` = '.(int)$enabled.', `delete` = '.(int)$enabled.'
+					WHERE `id_tab` = '.(int)$id_tab.'
+						AND `id_profile` = '.(int)$id_profile
+				);
+			else
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'access`
+					SET `'.bqSQL($perm).'` = '.(int)$enabled.'
+					WHERE `id_tab` = '.(int)$id_tab.'
+						AND `id_profile` = '.(int)$id_profile
+				);
+			$res = $res?'ok':'error';
+			die($res);
+		}
+	}
+	
+	public function ajaxProcessUpdateModuleAccess()
+	{
+		if ($this->tabAccess['edit'] != '1')
+			throw new PrestashopException(Tools::displayError('You do not have permission to edit here.'));
+			/* Update Access Modules */
+	
+		if (Tools::isSubmit('changeModuleAccess'))
+		{
+			$perm = Tools::getValue('perm');
+			$enabled = (int)Tools::getValue('enabled');
+			$id_module = (int)Tools::getValue('id_module');
+			$id_profile = (int)Tools::getValue('id_profile');
+			$res = true;
+
+			if (!in_array($perm, array('view', 'configure')))
+				throw new PrestashopException('permission not exists');
+
+			if ($id_module == -1)
+			{
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'module_access`
+					SET `'.bqSQL($perm).'` = '.(int)$enabled.'
+					WHERE `id_profile` = '.(int)$id_profile
+				);
+			}
+			else
+			{
+				$res &= Db::getInstance()->execute('
+					UPDATE `'._DB_PREFIX_.'module_access`
+					SET `'.bqSQL($perm).'` = '.(int)$enabled.'
+					WHERE `id_module` = '.(int)$id_module.'
+						AND `id_profile` = '.(int)$id_profile
+				);
+			}
+
+			$res = $res?'ok':'error';
+			die($res);
+		}
+	}
 
 	/**
 	* Get the current profile id
@@ -107,4 +201,4 @@ class AdminAccessController extends AdminController
 	{
 	 	return (isset($_GET['id_profile']) && !empty($_GET['id_profile']) && is_numeric($_GET['id_profile'])) ? (int)$_GET['id_profile'] : 1;
 	}
-}
\ No newline at end of file
+}
diff --git a/controllers/admin/AdminCartsController.php b/controllers/admin/AdminCartsController.php
index 2f00e87e7..60d063460 100755
--- a/controllers/admin/AdminCartsController.php
+++ b/controllers/admin/AdminCartsController.php
@@ -183,179 +183,207 @@ class AdminCartsController extends AdminController
 
 	public function ajaxPreProcess()
 	{
-		$id_customer = (int)Tools::getValue('id_customer');
-		$customer = new Customer((int)$id_customer);
-		$this->context->customer = $customer;
-		$id_cart = (int)Tools::getValue('id_cart');
-		if (!$id_cart)
-			$id_cart = $customer->getLastCart();
-		$this->context->cart = new Cart((int)$id_cart);
-		if (!$this->context->cart->id_customer)
-			$this->context->cart->id_customer = $id_customer;
-		if ($this->context->cart->OrderExists())
-			return;
-		if (!$this->context->cart->id_shop)
-			$this->context->cart->id_shop = (int)$this->context->shop->id;
-		if (!$this->context->cart->id_lang)
-			$this->context->cart->id_lang = (($id_lang = (int)Tools::getValue('id_lang')) ? $id_lang : Configuration::get('PS_LANG_DEFAULT'));
-		if (!$this->context->cart->id_currency)
-			$this->context->cart->id_currency = (($id_currency = (int)Tools::getValue('id_currency')) ? $id_currency : Configuration::get('PS_CURRENCY_DEFAULT'));
+		if ($this->tabAccess['edit'] === '1')
+		{
+			$id_customer = (int)Tools::getValue('id_customer');
+			$customer = new Customer((int)$id_customer);
+			$this->context->customer = $customer;
+			$id_cart = (int)Tools::getValue('id_cart');
+			if (!$id_cart)
+				$id_cart = $customer->getLastCart();
+			$this->context->cart = new Cart((int)$id_cart);
+			if (!$this->context->cart->id_customer)
+				$this->context->cart->id_customer = $id_customer;
+			if ($this->context->cart->OrderExists())
+				return;
+			if (!$this->context->cart->id_shop)
+				$this->context->cart->id_shop = (int)$this->context->shop->id;
+			if (!$this->context->cart->id_lang)
+				$this->context->cart->id_lang = (($id_lang = (int)Tools::getValue('id_lang')) ? $id_lang : Configuration::get('PS_LANG_DEFAULT'));
+			if (!$this->context->cart->id_currency)
+				$this->context->cart->id_currency = (($id_currency = (int)Tools::getValue('id_currency')) ? $id_currency : Configuration::get('PS_CURRENCY_DEFAULT'));
 
-		$addresses = $customer->getAddresses((int)$this->context->cart->id_lang);
-		$id_address_delivery = (int)Tools::getValue('id_address_delivery');
-		$id_address_invoice = (int)Tools::getValue('id_address_delivery');
-
-		if (!$this->context->cart->id_address_invoice && isset($addresses[0]))
-			$this->context->cart->id_address_invoice = (int)$addresses[0]['id_address'];
-		else if ($id_address_invoice)
-			$this->context->cart->id_address_invoice = (int)$id_address_invoice;
-		if (!$this->context->cart->id_address_delivery && isset($addresses[0]))
-			$this->context->cart->id_address_delivery = $addresses[0]['id_address'];
-		else if ($id_address_delivery)
-			$this->context->cart->id_address_delivery = (int)$id_address_delivery;
-		$this->context->cart->save();
-		$currency = new Currency((int)$this->context->cart->id_currency);
-		$this->context->currency = $currency;
+			$addresses = $customer->getAddresses((int)$this->context->cart->id_lang);
+			$id_address_delivery = (int)Tools::getValue('id_address_delivery');
+			$id_address_invoice = (int)Tools::getValue('id_address_delivery');
 
+			if (!$this->context->cart->id_address_invoice && isset($addresses[0]))
+				$this->context->cart->id_address_invoice = (int)$addresses[0]['id_address'];
+			else if ($id_address_invoice)
+				$this->context->cart->id_address_invoice = (int)$id_address_invoice;
+			if (!$this->context->cart->id_address_delivery && isset($addresses[0]))
+				$this->context->cart->id_address_delivery = $addresses[0]['id_address'];
+			else if ($id_address_delivery)
+				$this->context->cart->id_address_delivery = (int)$id_address_delivery;
+			$this->context->cart->save();
+			$currency = new Currency((int)$this->context->cart->id_currency);
+			$this->context->currency = $currency;
+		}
 	}
 
 	public function ajaxProcessDeleteProduct()
 	{
-		$errors = array();
-		if (!$id_product = (int)Tools::getValue('id_product') || !$id_product_attribute = (int)Tools::getValue('id_product_attribute'))
-			$errors[] = Tools::displayError('Invalid product');
-		if (count($errors))
-			die(Tools::jsonEncode($errors));
+		if ($this->tabAccess['edit'] === '1')
+		{
+			$errors = array();
+			if (!$id_product = (int)Tools::getValue('id_product') || !$id_product_attribute = (int)Tools::getValue('id_product_attribute'))
+				$errors[] = Tools::displayError('Invalid product');
+			if (count($errors))
+				die(Tools::jsonEncode($errors));
 
-		if ($this->context->cart->deleteProduct($id_product, $id_product_attribute))
-			echo Tools::jsonEncode($this->ajaxReturnVars());
+			if ($this->context->cart->deleteProduct($id_product, $id_product_attribute))
+				echo Tools::jsonEncode($this->ajaxReturnVars());
+		}
 	}
 
 	public function ajaxProcessUpdateQty()
 	{
-		$errors = array();
-		if (!$this->context->cart->id)
-			return;
-		if ($this->context->cart->OrderExists())
-			$errors[] = Tools::displayErrors('An order already placed with this cart');
-		else if (!$id_product = (int)Tools::getValue('id_product') OR (!$product = new Product((int)$id_product, true, $this->context->language->id)))
-			$errors[] = Tools::displayError('Invalid product');
-		else if (!$qty = Tools::getValue('qty') || $qty == 0)
-			$errors[] = Tools::displayError('Invalid quantity');
-		if (($id_product_attribute = Tools::getValue('id_product_attribute')) != 0)
+		if ($this->tabAccess['edit'] === '1')
 		{
-			if (!Product::isAvailableWhenOutOfStock($product->out_of_stock) && !Attribute::checkAttributeQty((int)$id_product_attribute, (int)$qty))
-				$errors[] = Tools::displayError('There is not enough product in stock');
-		}
-		else
-			if (!$product->checkQty((int)$qty))
-				$errors[] = Tools::displayError('There is not enough product in stock');
-		if (!$id_customization = (int)Tools::getValue('id_customization', 0) && !$product->hasAllRequiredCustomizableFields())
-			$errors[] = Tools::displayError('Please fill in all required fields');
-		$this->context->cart->save();
-		if (!count($errors))
-		{
-			if ((int)$qty < 0)
+			$errors = array();
+			if (!$this->context->cart->id)
+				return;
+			if ($this->context->cart->OrderExists())
+				$errors[] = Tools::displayErrors('An order already placed with this cart');
+			else if (!$id_product = (int)Tools::getValue('id_product') OR (!$product = new Product((int)$id_product, true, $this->context->language->id)))
+				$errors[] = Tools::displayError('Invalid product');
+			else if (!$qty = Tools::getValue('qty') || $qty == 0)
+				$errors[] = Tools::displayError('Invalid quantity');
+			if (($id_product_attribute = Tools::getValue('id_product_attribute')) != 0)
 			{
-				$qty = str_replace('-', '', $qty);
-				$operator = 'down';
+				if (!Product::isAvailableWhenOutOfStock($product->out_of_stock) && !Attribute::checkAttributeQty((int)$id_product_attribute, (int)$qty))
+					$errors[] = Tools::displayError('There is not enough product in stock');
 			}
 			else
-				$operator = 'up';
-			if (!($qty_upd = $this->context->cart->updateQty($qty, $id_product, (int)$id_product_attribute, (int)$id_customization, 0, $operator)))
-				$errors[] = Tools::displayError('You already have the maximum quantity available for this product.');
+				if (!$product->checkQty((int)$qty))
+					$errors[] = Tools::displayError('There is not enough product in stock');
+			if (!$id_customization = (int)Tools::getValue('id_customization', 0) && !$product->hasAllRequiredCustomizableFields())
+				$errors[] = Tools::displayError('Please fill in all required fields');
+			$this->context->cart->save();
+			if (!count($errors))
+			{
+				if ((int)$qty < 0)
+				{
+					$qty = str_replace('-', '', $qty);
+					$operator = 'down';
+				}
+				else
+					$operator = 'up';
+				if (!($qty_upd = $this->context->cart->updateQty($qty, $id_product, (int)$id_product_attribute, (int)$id_customization, 0, $operator)))
+					$errors[] = Tools::displayError('You already have the maximum quantity available for this product.');
+			}
+
+			echo Tools::jsonEncode(array_merge($this->ajaxReturnVars(), array('errors' => $errors)));
 		}
-
-		echo Tools::jsonEncode(array_merge($this->ajaxReturnVars(), array('errors' => $errors)));
-
 	}
 
 	public function ajaxProcessUpdateCarrier()
 	{
-		if (Validate::isBool(($recyclable = (int)Tools::getValue('recyclable'))))
-			$this->context->cart->recyclable = $recyclable;
-		if (Validate::isBool(($gift = (int)Tools::getValue('gift'))))
-			$this->context->cart->gift = $gift;
-		if (Validate::isMessage(($gift_message = pSQL(Tools::getValue('gift_message')))))
-			$this->context->cart->gift_message = $gift_message;
-		$this->context->cart->save();
-		echo Tools::jsonEncode($this->ajaxReturnVars());
+		if ($this->tabAccess['edit'] === '1')
+		{
+			if (Validate::isBool(($recyclable = (int)Tools::getValue('recyclable'))))
+				$this->context->cart->recyclable = $recyclable;
+			if (Validate::isBool(($gift = (int)Tools::getValue('gift'))))
+				$this->context->cart->gift = $gift;
+			if (Validate::isMessage(($gift_message = pSQL(Tools::getValue('gift_message')))))
+				$this->context->cart->gift_message = $gift_message;
+			$this->context->cart->save();
+			echo Tools::jsonEncode($this->ajaxReturnVars());
+		}
 	}
 
 	public function ajaxProcessUpdateCurrency()
 	{
-		$currency = new Currency((int)Tools::getValue('id_currency'));
-		if (Validate::isLoadedObject($currency) && !$currency->deleted && $currency->active)
+		if ($this->tabAccess['edit'] === '1')
 		{
-			$this->context->cart->id_currency = (int)$currency->id;
-			$this->context->cart->save();
+			$currency = new Currency((int)Tools::getValue('id_currency'));
+			if (Validate::isLoadedObject($currency) && !$currency->deleted && $currency->active)
+			{
+				$this->context->cart->id_currency = (int)$currency->id;
+				$this->context->cart->save();
+			}
+			echo Tools::jsonEncode($this->ajaxReturnVars());
 		}
-		echo Tools::jsonEncode($this->ajaxReturnVars());
 	}
 	public function ajaxProcessUpdateLang()
 	{
-		$lang = new Language((int)Tools::getValue('id_lang'));
-		if (Validate::isLoadedObject($lang) && $lang->active)
+		if ($this->tabAccess['edit'] === '1')
 		{
-			$this->context->cart->id_lang = (int)$lang->id;
-			$this->context->cart->save();
+			$lang = new Language((int)Tools::getValue('id_lang'));
+			if (Validate::isLoadedObject($lang) && $lang->active)
+			{
+				$this->context->cart->id_lang = (int)$lang->id;
+				$this->context->cart->save();
+			}
+			echo Tools::jsonEncode($this->ajaxReturnVars());
 		}
-		echo Tools::jsonEncode($this->ajaxReturnVars());
 	}
 	public function ajaxProcessDuplicateOrder()
 	{
-		$errors = array();
-		if (!$id_order = Tools::getValue('id_order'))
-			$errors[] = Tools::displayErrors('Invalid order');
-		$cart = Cart::getCartByOrderId($id_order);
-		$new_cart = $cart->duplicate();
-		if (!$new_cart || !Validate::isLoadedObject($new_cart['cart']))
-			$errors[] = Tools::displayError('The order cannot be renewed');
-		else if (!$new_cart['success'])
-			$errors[] = Tools::displayError('The order cannot be renewed');
-		else
+		if ($this->tabAccess['edit'] === '1')
 		{
-			$this->context->cart = $new_cart['cart'];
-			echo Tools::jsonEncode($this->ajaxReturnVars());
+			$errors = array();
+			if (!$id_order = Tools::getValue('id_order'))
+				$errors[] = Tools::displayErrors('Invalid order');
+			$cart = Cart::getCartByOrderId($id_order);
+			$new_cart = $cart->duplicate();
+			if (!$new_cart || !Validate::isLoadedObject($new_cart['cart']))
+				$errors[] = Tools::displayError('The order cannot be renewed');
+			else if (!$new_cart['success'])
+				$errors[] = Tools::displayError('The order cannot be renewed');
+			else
+			{
+				$this->context->cart = $new_cart['cart'];
+				echo Tools::jsonEncode($this->ajaxReturnVars());
+			}
 		}
 
 	}
 
 	public function ajaxProcessDeleteVoucher()
 	{
-		if ($this->context->cart->removeCartRule((int)Tools::getValue('id_cart_rule')))
-			echo Tools::jsonEncode($this->ajaxReturnVars());
+		if ($this->tabAccess['edit'] === '1')
+		{
+			if ($this->context->cart->removeCartRule((int)Tools::getValue('id_cart_rule')))
+				echo Tools::jsonEncode($this->ajaxReturnVars());
+		}
 	}
 
 	public function ajaxProcessAddVoucher()
 	{
-		$errors = array();
-		$customer = new Customer((int)$this->context->cart->id_customer);
+		if ($this->tabAccess['edit'] === '1')
+		{
+			$errors = array();
+			$customer = new Customer((int)$this->context->cart->id_customer);
 
-		if (!$id_cart_rule = Tools::getValue('id_cart_rule') OR !$cart_rule = new CartRule((int)$id_cart_rule))
-			$errors[] = Tools::displayError('Invalid voucher');
-		else if ($err = $cart_rule->checkValidity($this->context))
-			$errors[] = $err;
-		if (!count($errors))
-			if (!$this->context->cart->addCartRule((int)$cart_rule->id))
-				$errors[] = Tools::displayError('Can\'t add the voucher');
-		echo Tools::jsonEncode(array_merge($this->ajaxReturnVars(), array('errors' => $errors)));
+			if (!$id_cart_rule = Tools::getValue('id_cart_rule') OR !$cart_rule = new CartRule((int)$id_cart_rule))
+				$errors[] = Tools::displayError('Invalid voucher');
+			else if ($err = $cart_rule->checkValidity($this->context))
+				$errors[] = $err;
+			if (!count($errors))
+				if (!$this->context->cart->addCartRule((int)$cart_rule->id))
+					$errors[] = Tools::displayError('Can\'t add the voucher');
+			echo Tools::jsonEncode(array_merge($this->ajaxReturnVars(), array('errors' => $errors)));
+		}
 	}
 
 	public function ajaxProcessUpdateAddresses()
 	{
-		if (($id_address_delivery = (int)Tools::getValue('id_address_delivery')) &&
-			$address_delivery = new Address((int)$id_address_delivery) &&
-			$address_delivery->id_customer = $this->context->cart->id_customer)
-			$this->context->cart->id_address_delivery = (int)$address_delivery->id;
+		if ($this->tabAccess['edit'] === '1')
+		{
+			if (($id_address_delivery = (int)Tools::getValue('id_address_delivery')) &&
+				$address_delivery = new Address((int)$id_address_delivery) &&
+				$address_delivery->id_customer = $this->context->cart->id_customer)
+				$this->context->cart->id_address_delivery = (int)$address_delivery->id;
 
-		if (($id_address_invoice = (int)Tools::getValue('id_address_invoice')) &&
-			$address_invoice = new Address((int)$id_address_invoice) &&
-			$address_invoice->id_customer = $this->context->cart->id_customer)
-			$this->context->cart->id_address_invoice = (int)$address_invoice->id;
-		$this->context->cart->save();
+			if (($id_address_invoice = (int)Tools::getValue('id_address_invoice')) &&
+				$address_invoice = new Address((int)$id_address_invoice) &&
+				$address_invoice->id_customer = $this->context->cart->id_customer)
+				$this->context->cart->id_address_invoice = (int)$address_invoice->id;
+			$this->context->cart->save();
 
-		echo Tools::jsonEncode($this->ajaxReturnVars());
+			echo Tools::jsonEncode($this->ajaxReturnVars());
+		}
 	}
 
 	protected function getCartSummary()
diff --git a/controllers/admin/AdminOrdersController.php b/controllers/admin/AdminOrdersController.php
index bed6d5ccc..6c54f61c4 100755
--- a/controllers/admin/AdminOrdersController.php
+++ b/controllers/admin/AdminOrdersController.php
@@ -604,20 +604,23 @@ class AdminOrdersControllerCore extends AdminController
 
 	public function ajaxProcessSendMailValidateOrder()
 	{
-		$errors = array();
-		$cart = new Cart((int)Tools::getValue('id_cart'));
-		if (Validate::isLoadedObject($cart))
+		if ($this->tabAccess['edit'] === '1')
 		{
-			$customer = new Customer((int)$cart->id_customer);
-			if (Validate::isLoadedObject($customer))
+			$errors = array();
+			$cart = new Cart((int)Tools::getValue('id_cart'));
+			if (Validate::isLoadedObject($cart))
 			{
-				$mailVars = array('{order_link}' => Context::getContext()->link->getPageLink('order', false, (int)$cart->id_lang, 'step=3&recover_cart='.(int)$cart->id.'&token_cart='.md5(_COOKIE_KEY_.'recover_cart_'.(int)$cart->id)),
- 																'{firstname}' => $customer->firstname,
-																'{lastname}' => $customer->lastname,);
-				if (Mail::Send((int)$cart->id_lang, 'backoffice_order', Mail::l('Process the payment of your order'), $mailVars, $customer->email, $customer->firstname.' '.$customer->lastname, NULL, NULL, NULL, NULL,_PS_MAIL_DIR_, true))
-					die(Tools::jsonEncode(array('errors' => false, 'result' => $this->l('The mail was sent to your customer.'))));
+				$customer = new Customer((int)$cart->id_customer);
+				if (Validate::isLoadedObject($customer))
+				{
+					$mailVars = array('{order_link}' => Context::getContext()->link->getPageLink('order', false, (int)$cart->id_lang, 'step=3&recover_cart='.(int)$cart->id.'&token_cart='.md5(_COOKIE_KEY_.'recover_cart_'.(int)$cart->id)),
+	 																'{firstname}' => $customer->firstname,
+																	'{lastname}' => $customer->lastname,);
+					if (Mail::Send((int)$cart->id_lang, 'backoffice_order', Mail::l('Process the payment of your order'), $mailVars, $customer->email, $customer->firstname.' '.$customer->lastname, NULL, NULL, NULL, NULL,_PS_MAIL_DIR_, true))
+						die(Tools::jsonEncode(array('errors' => false, 'result' => $this->l('The mail was sent to your customer.'))));
+				}
 			}
+			$this->content = Tools::jsonEncode(array('errors' => true, 'result' => $this->l('Error in sending the email to your customer.')));
 		}
-		$this->content = Tools::jsonEncode(array('errors' => true, 'result' => $this->l('Error in sending the email to your customer.')));
 	}
 }