Fix critical UX bugs and add missing UI for F01-F04 mandatory features

- F01: Add Access Logs + Payment History nav links to profile sidebar
- F02: Fix Edit product 405 error - add doGet() to UpdateProductController;
       unify manage-product-form.jsp for create/edit modes;
       fix redirect URLs /manage/products -> /api/manage/products
- F03: Add Edit Order UI (order-edit.jsp + OrderEditController) for pending orders;
       add Cancel Order button on orderList.jsp with stock restoration
- F04: Create payment-list.jsp and payment-view.jsp (were missing entirely);
       fix CheckoutController (@WebServlet annotation + payment record creation)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: salieri009

src/main/java/controller/CheckoutController.java

@@ -8,6 +8,7 @@
 import java.util.List;
 
 import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -17,18 +18,24 @@
 import dao.CartItemDAO;
 import dao.OrderDAO;
 import dao.OrderProductDAO;
+import dao.PaymentDAO;
+import dao.PaymentDetailDAO;
 import dao.interfaces.ProductDAO;
 import model.CartItem;
 import model.Order;
 import model.OrderProduct;
+import model.Payment;
+import model.PaymentDetail;
 import model.User;
 
-// Note: Mapped in web.xml to avoid conflicts
-public class CheckoutController extends HttpServlet{
+@WebServlet("/checkout")
+public class CheckoutController extends HttpServlet {
     private OrderDAO orderDAO;
     private CartItemDAO cartItemDao;
     private OrderProductDAO orderProductDAO;
     private ProductDAO productDAO;
+    private PaymentDAO paymentDAO;
+    private PaymentDetailDAO paymentDetailDAO;
 
     @Override
     public void init() throws ServletException {
@@ -38,6 +45,8 @@ public void init() throws ServletException {
             cartItemDao = new CartItemDAO(connection);
             orderProductDAO = new OrderProductDAO(connection);
             productDAO = DIContainer.get(ProductDAO.class);
+            paymentDAO = new PaymentDAO(connection);
+            paymentDetailDAO = new PaymentDetailDAO(connection);
         } catch (Exception e) {
             throw new ServletException("Failed to initialize CheckoutController", e);
         }
@@ -230,6 +239,41 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             utils.ErrorAction.logSecurityEvent("ORDER_CREATED", request,
                     "Order created for user: " + userId + ", Total: " + totalAmount);
 
+            // Create payment record
+            BigDecimal shipping = BigDecimal.valueOf(9.95);
+            BigDecimal tax = totalAmount.multiply(BigDecimal.valueOf(0.10));
+            BigDecimal grandTotal = totalAmount.add(shipping).add(tax);
+
+            String paymentMethod = utils.SecurityUtil.getValidatedStringParameter(request, "paymentMethod", 50);
+            if (paymentMethod == null || paymentMethod.trim().isEmpty()) {
+                paymentMethod = "Credit Card";
+            }
+
+            Payment payment = new Payment();
+            payment.setOrderId(orderId);
+            payment.setUserId(user != null ? user.getId() : userId);
+            payment.setAmount(grandTotal);
+            payment.setPaymentMethod(paymentMethod);
+            payment.setPaymentDate(LocalDateTime.now());
+            payment.setStatus("PENDING");
+
+            int paymentId = paymentDAO.createPayment(payment);
+
+            // Store card details if provided (masked)
+            String cardNumber = utils.SecurityUtil.getValidatedStringParameter(request, "cardNumber", 20);
+            String expiryDate = utils.SecurityUtil.getValidatedStringParameter(request, "expiryDate", 10);
+            String cardHolderName = utils.SecurityUtil.getValidatedStringParameter(request, "cardHolderName", 100);
+            if (cardNumber != null && !cardNumber.trim().isEmpty()) {
+                PaymentDetail detail = new PaymentDetail();
+                detail.setPaymentId(paymentId);
+                detail.setUserId(user != null ? user.getId() : userId);
+                detail.setCardNumber(maskCardNumber(cardNumber));
+                detail.setExpiryDate(expiryDate);
+                detail.setCardHolderName(cardHolderName);
+                detail.setCardType(detectCardType(cardNumber));
+                paymentDetailDAO.createPaymentDetail(detail);
+            }
+
             // Clear cart after checkout
             cartItemDao.clearCartByUserId(userId);
 
@@ -244,4 +288,18 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             utils.ErrorAction.handleServerError(request, response, e, "CheckoutController.doPost");
         }
     }
+
+    private String maskCardNumber(String cardNumber) {
+        if (cardNumber == null || cardNumber.length() < 4) return cardNumber;
+        return "**** **** **** " + cardNumber.substring(cardNumber.length() - 4);
+    }
+
+    private String detectCardType(String cardNumber) {
+        if (cardNumber == null || cardNumber.isEmpty()) return "UNKNOWN";
+        String cleaned = cardNumber.replaceAll("[\\s-]", "");
+        if (cleaned.matches("^4[0-9]{12}(?:[0-9]{3})?$")) return "VISA";
+        if (cleaned.matches("^5[1-5][0-9]{14}$")) return "MASTERCARD";
+        if (cleaned.matches("^3[47][0-9]{13}$")) return "AMEX";
+        return "OTHER";
+    }
 }

src/main/java/controller/DeleteProductController.java

@@ -56,7 +56,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
         try {
             int id = utils.SecurityUtil.getValidatedIntParameter(request, "id", 1, Integer.MAX_VALUE);
             productDAO.deleteProduct(id);
-            response.sendRedirect(request.getContextPath() + "/manage/products");
+            response.sendRedirect(request.getContextPath() + "/api/manage/products");
         } catch (SQLException e) {
             utils.ErrorAction.handleDatabaseError(request, response, e, "DeleteProductController.doPost");
         } catch (IllegalArgumentException e) {

src/main/java/controller/ManageProductController.java

@@ -143,7 +143,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
             utils.ErrorAction.logSecurityEvent("PRODUCT_CREATED", request,
                     "Product created: " + name);
 
-            response.sendRedirect(request.getContextPath() + "/manage/products");
+            response.sendRedirect(request.getContextPath() + "/api/manage/products");
 
         } catch (IllegalArgumentException e) {
             utils.ErrorAction.handleValidationError(request, response, e.getMessage(),

src/main/java/controller/OrderEditController.java

@@ -0,0 +1,236 @@
+package controller;
+
+import java.io.IOException;
+import java.math.BigDecimal;
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import config.DIContainer;
+import dao.OrderDAO;
+import dao.OrderProductDAO;
+import dao.interfaces.ProductDAO;
+import model.Order;
+import model.OrderProduct;
+import model.Product;
+import model.User;
+
+@WebServlet("/order/*")
+public class OrderEditController extends HttpServlet {
+
+    private OrderDAO orderDAO;
+    private OrderProductDAO orderProductDAO;
+    private ProductDAO productDAO;
+
+    @Override
+    public void init() throws ServletException {
+        try {
+            Connection conn = DIContainer.getConnection();
+            orderDAO = new OrderDAO(conn);
+            orderProductDAO = new OrderProductDAO(conn);
+            productDAO = DIContainer.get(ProductDAO.class);
+        } catch (Exception e) {
+            throw new ServletException("Failed to initialize OrderEditController", e);
+        }
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+
+        HttpSession session = request.getSession(false);
+        if (session == null) {
+            response.sendRedirect(request.getContextPath() + "/login.jsp");
+            return;
+        }
+        Object userObj = session.getAttribute("user");
+        if (!(userObj instanceof User)) {
+            response.sendRedirect(request.getContextPath() + "/login.jsp");
+            return;
+        }
+        User user = (User) userObj;
+
+        String pathInfo = request.getPathInfo();
+        if ("/edit".equals(pathInfo)) {
+            showEditForm(request, response, user);
+        } else {
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
+        }
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+
+        HttpSession session = request.getSession(false);
+        if (session == null) {
+            response.sendRedirect(request.getContextPath() + "/login.jsp");
+            return;
+        }
+        Object userObj = session.getAttribute("user");
+        if (!(userObj instanceof User)) {
+            response.sendRedirect(request.getContextPath() + "/login.jsp");
+            return;
+        }
+        User user = (User) userObj;
+
+        if (!utils.SecurityUtil.validateCSRFToken(request)) {
+            utils.ErrorAction.handleValidationError(request, response,
+                    "CSRF token validation failed", "OrderEditController.doPost");
+            return;
+        }
+
+        String pathInfo = request.getPathInfo();
+        if ("/update".equals(pathInfo)) {
+            processUpdate(request, response, user);
+        } else {
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
+        }
+    }
+
+    private void showEditForm(HttpServletRequest request, HttpServletResponse response, User user)
+            throws ServletException, IOException {
+        try {
+            int orderId = utils.SecurityUtil.getValidatedIntParameter(request, "orderId", 1, Integer.MAX_VALUE);
+            Order order = orderDAO.getOrderById(orderId);
+
+            if (order == null || order.getUserId() != user.getId()) {
+                utils.ErrorAction.handleAuthorizationError(request, response, "OrderEditController.showEditForm");
+                return;
+            }
+
+            if (!"Pending".equalsIgnoreCase(order.getStatus()) && !"PENDING".equalsIgnoreCase(order.getStatus())) {
+                request.setAttribute("error", "Only pending orders can be edited.");
+                request.setAttribute("order", order);
+                request.getRequestDispatcher("/order-edit.jsp").forward(request, response);
+                return;
+            }
+
+            List<OrderProduct> rawItems = orderProductDAO.getProductsByOrderId(orderId);
+            List<Map<String, Object>> enrichedItems = new ArrayList<>();
+            for (OrderProduct op : rawItems) {
+                java.util.HashMap<String, Object> item = new java.util.HashMap<>();
+                item.put("productId", op.getProductId());
+                item.put("quantity", op.getQuantity());
+                item.put("priceAtOrderTime", op.getPriceAtOrderTime());
+                try {
+                    Product p = productDAO.getProductById(op.getProductId());
+                    item.put("productName", p != null ? p.getName() : "Product #" + op.getProductId());
+                    item.put("stock", p != null ? p.getStockQuantity() : 0);
+                } catch (Exception ex) {
+                    item.put("productName", "Product #" + op.getProductId());
+                    item.put("stock", 0);
+                }
+                enrichedItems.add(item);
+            }
+
+            request.setAttribute("order", order);
+            request.setAttribute("orderItems", enrichedItems);
+            request.getRequestDispatcher("/order-edit.jsp").forward(request, response);
+
+        } catch (Exception e) {
+            utils.ErrorAction.handleServerError(request, response, e, "OrderEditController.showEditForm");
+        }
+    }
+
+    private void processUpdate(HttpServletRequest request, HttpServletResponse response, User user)
+            throws ServletException, IOException {
+        try {
+            int orderId = utils.SecurityUtil.getValidatedIntParameter(request, "orderId", 1, Integer.MAX_VALUE);
+            Order order = orderDAO.getOrderById(orderId);
+
+            if (order == null || order.getUserId() != user.getId()) {
+                utils.ErrorAction.handleAuthorizationError(request, response, "OrderEditController.processUpdate");
+                return;
+            }
+
+            if (!"Pending".equalsIgnoreCase(order.getStatus()) && !"PENDING".equalsIgnoreCase(order.getStatus())) {
+                response.sendRedirect(request.getContextPath() + "/orderhistory?error=Order+cannot+be+modified");
+                return;
+            }
+
+            String[] productIds = request.getParameterValues("productId");
+            if (productIds == null || productIds.length == 0) {
+                response.sendRedirect(request.getContextPath() + "/orderhistory");
+                return;
+            }
+
+            BigDecimal newTotal = BigDecimal.ZERO;
+
+            for (String productIdStr : productIds) {
+                int productId = Integer.parseInt(productIdStr);
+                String qtyStr = request.getParameter("quantity_" + productId);
+                if (qtyStr == null) continue;
+
+                int newQty = Integer.parseInt(qtyStr);
+
+                // Get current order product
+                List<OrderProduct> existing = orderProductDAO.getProductsByOrderId(orderId);
+                OrderProduct current = null;
+                for (OrderProduct op : existing) {
+                    if (op.getProductId() == productId) {
+                        current = op;
+                        break;
+                    }
+                }
+                if (current == null) continue;
+
+                int oldQty = current.getQuantity();
+                int diff = newQty - oldQty;
+
+                if (newQty <= 0) {
+                    // Remove item and restore stock
+                    orderProductDAO.deleteOrderProduct(orderId, productId);
+                    if (oldQty > 0) {
+                        productDAO.increaseStock(productId, oldQty);
+                    }
+                } else {
+                    if (diff > 0) {
+                        // Increasing quantity - check stock
+                        Product p = productDAO.getProductById(productId);
+                        if (p == null || p.getStockQuantity() < diff) {
+                            response.sendRedirect(request.getContextPath()
+                                    + "/order/edit?orderId=" + orderId
+                                    + "&error=Insufficient+stock+for+product+" + productId);
+                            return;
+                        }
+                        productDAO.decreaseStock(productId, diff);
+                    } else if (diff < 0) {
+                        // Decreasing quantity - restore stock
+                        productDAO.increaseStock(productId, -diff);
+                    }
+                    current.setQuantity(newQty);
+                    orderProductDAO.updateOrderProduct(current);
+                    newTotal = newTotal.add(BigDecimal.valueOf(current.getPriceAtOrderTime() * newQty));
+                }
+            }
+
+            // Recalculate order total
+            List<OrderProduct> remaining = orderProductDAO.getProductsByOrderId(orderId);
+            if (remaining.isEmpty()) {
+                // No items left - cancel order
+                order.setStatus("Cancelled");
+            }
+            BigDecimal total = BigDecimal.ZERO;
+            for (OrderProduct op : remaining) {
+                total = total.add(BigDecimal.valueOf(op.getPriceAtOrderTime() * op.getQuantity()));
+            }
+            order.setTotalAmount(total);
+            orderDAO.updateOrder(order);
+
+            response.sendRedirect(request.getContextPath() + "/orderhistory");
+
+        } catch (Exception e) {
+            utils.ErrorAction.handleServerError(request, response, e, "OrderEditController.processUpdate");
+        }
+    }
+}

src/main/java/controller/PaymentController.java

@@ -148,6 +148,8 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
                 createPayment(request, response, user);
             } else if (pathInfo.equals("/update")) {
                 updatePayment(request, response, user);
+            } else if (pathInfo.equals("/delete")) {
+                deletePaymentPost(request, response, user);
             } else {
                 response.sendError(HttpServletResponse.SC_NOT_FOUND);
             }
@@ -215,6 +217,25 @@ private void listPayments(HttpServletRequest request, HttpServletResponse respon
         request.getRequestDispatcher("/payment-list.jsp").forward(request, response);
     }
 
+    private void deletePaymentPost(HttpServletRequest request, HttpServletResponse response, User user)
+            throws Exception {
+        int paymentId = utils.SecurityUtil.getValidatedIntParameter(request, "paymentId", 1, Integer.MAX_VALUE);
+        Payment payment = paymentDAO.getPaymentById(paymentId);
+
+        if (payment == null || !payment.getUserId().equals(user.getId())) {
+            utils.ErrorAction.handleAuthorizationError(request, response, "PaymentController.deletePaymentPost");
+            return;
+        }
+        if (!"PENDING".equals(payment.getStatus())) {
+            request.setAttribute("error", "Only PENDING payments can be deleted.");
+            searchPayments(request, response, user);
+            return;
+        }
+        paymentDetailDAO.deleteByPaymentId(paymentId);
+        paymentDAO.deletePayment(paymentId);
+        response.sendRedirect(request.getContextPath() + "/api/payment/?success=Payment+deleted");
+    }
+
     private void viewPayment(HttpServletRequest request, HttpServletResponse response, User user, int paymentId)
             throws Exception {
         Payment payment = paymentDAO.getPaymentById(paymentId);