You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/03/14 07:49:49 UTC
[ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/trunk by this push:
new e72e134 Improved: "auth" should be true for all the request url used for Application components
e72e134 is described below
commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Mar 14 08:49:54 2020 +0100
Improved: "auth" should be true for all the request url used for Application
components
(OFBIZ-4956)
Currently there are some URLs present in application components with
auth="false". So anyone can hit these URLs and access these resources without
authorization.
I think all the URLs should be secure with auth="true"
Thanks: Amardeep Singh Jhajj for report and initial fix
---
ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 5f7031c..27a0383 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1605,7 +1605,7 @@ under the License.
</request-map>
<request-map uri="getAssociatedStateList">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service" invoke="getAssociatedStateList"/>
<response name="success" type="request" value="json"/>
<response name="error" type="request" value="json"/>
Re: Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth"
should be true for all the request url used for Application components
Posted by Jacques Le Roux <ja...@les7arts.com>.
Oops, right indeed, I did not think about the anon checkout flow in ecommerce.
I think I'll duplicate and make one only false in ecommerce
Jacques
Le 16/03/2020 à 09:21, Jacques Le Roux a écrit :
>
> Hi Deepak,
>
> Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?
>
> Thanks
>
> Jacques
>
> Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
>> Hi Jacques,
>>
>> I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> ofbiz.apache.org <http://ofbiz.apache.org>
>>
>>
>> On Sat, Mar 14, 2020 at 1:19 PM <jleroux@apache.org <ma...@apache.org>> wrote:
>>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>> new e72e134 Improved: "auth" should be true for all the request url used for Application components
>> e72e134 is described below
>>
>> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>> Author: Jacques Le Roux <jacques.le.roux@les7arts.com <ma...@les7arts.com>>
>> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>>
>> Improved: "auth" should be true for all the request url used for Application
>> components
>>
>> (OFBIZ-4956)
>>
>> Currently there are some URLs present in application components with
>> auth="false". So anyone can hit these URLs and access these resources without
>> authorization.
>>
>> I think all the URLs should be secure with auth="true"
>>
>> Thanks: Amardeep Singh Jhajj for report and initial fix
>> ---
>> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> index 5f7031c..27a0383 100644
>> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> @@ -1605,7 +1605,7 @@ under the License.
>> </request-map>
>>
>> <request-map uri="getAssociatedStateList">
>> - <security https="true" auth="false"/>
>> + <security https="true" auth="true"/>
>> <event type="service" invoke="getAssociatedStateList"/>
>> <response name="success" type="request" value="json"/>
>> <response name="error" type="request" value="json"/>
>>
Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth"
should be true for all the request url used for Application components
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Deepak,
Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?
Thanks
Jacques
Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org <http://ofbiz.apache.org>
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <jleroux@apache.org <ma...@apache.org>> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new e72e134 Improved: "auth" should be true for all the request url used for Application components
> e72e134 is described below
>
> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
> Author: Jacques Le Roux <jacques.le.roux@les7arts.com <ma...@les7arts.com>>
> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>
> Improved: "auth" should be true for all the request url used for Application
> components
>
> (OFBIZ-4956)
>
> Currently there are some URLs present in application components with
> auth="false". So anyone can hit these URLs and access these resources without
> authorization.
>
> I think all the URLs should be secure with auth="true"
>
> Thanks: Amardeep Singh Jhajj for report and initial fix
> ---
> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> index 5f7031c..27a0383 100644
> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> @@ -1605,7 +1605,7 @@ under the License.
> </request-map>
>
> <request-map uri="getAssociatedStateList">
> - <security https="true" auth="false"/>
> + <security https="true" auth="true"/>
> <event type="service" invoke="getAssociatedStateList"/>
> <response name="success" type="request" value="json"/>
> <response name="error" type="request" value="json"/>
>
Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
Posted by Deepak Dixit <de...@apache.org>.
Like add Billing/shipping address while anon checkout, New customer
registration etc.
Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org
On Mon, Mar 16, 2020 at 1:14 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Deepak,
>
> Yes, I wondered about that too, but in which case/s do you think
> getAssociatedStateList can be requested w/o being authenticated?
>
> Thanks
>
> Jacques
> Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
>
> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will
> break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <jl...@apache.org> wrote:
>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>> new e72e134 Improved: "auth" should be true for all the request url
>> used for Application components
>> e72e134 is described below
>>
>> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>> Author: Jacques Le Roux <ja...@les7arts.com>
>> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>>
>> Improved: "auth" should be true for all the request url used for
>> Application
>> components
>>
>> (OFBIZ-4956)
>>
>> Currently there are some URLs present in application components with
>> auth="false". So anyone can hit these URLs and access these resources
>> without
>> authorization.
>>
>> I think all the URLs should be secure with auth="true"
>>
>> Thanks: Amardeep Singh Jhajj for report and initial fix
>> ---
>> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> index 5f7031c..27a0383 100644
>> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> @@ -1605,7 +1605,7 @@ under the License.
>> </request-map>
>>
>> <request-map uri="getAssociatedStateList">
>> - <security https="true" auth="false"/>
>> + <security https="true" auth="true"/>
>> <event type="service" invoke="getAssociatedStateList"/>
>> <response name="success" type="request" value="json"/>
>> <response name="error" type="request" value="json"/>
>>
>>
Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
Posted by Deepak Dixit <de...@apache.org>.
Like add Billing/shipping address while anon checkout, New customer
registration etc.
Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org
On Mon, Mar 16, 2020 at 1:14 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Deepak,
>
> Yes, I wondered about that too, but in which case/s do you think
> getAssociatedStateList can be requested w/o being authenticated?
>
> Thanks
>
> Jacques
> Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
>
> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will
> break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <jl...@apache.org> wrote:
>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>> new e72e134 Improved: "auth" should be true for all the request url
>> used for Application components
>> e72e134 is described below
>>
>> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>> Author: Jacques Le Roux <ja...@les7arts.com>
>> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>>
>> Improved: "auth" should be true for all the request url used for
>> Application
>> components
>>
>> (OFBIZ-4956)
>>
>> Currently there are some URLs present in application components with
>> auth="false". So anyone can hit these URLs and access these resources
>> without
>> authorization.
>>
>> I think all the URLs should be secure with auth="true"
>>
>> Thanks: Amardeep Singh Jhajj for report and initial fix
>> ---
>> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> index 5f7031c..27a0383 100644
>> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> @@ -1605,7 +1605,7 @@ under the License.
>> </request-map>
>>
>> <request-map uri="getAssociatedStateList">
>> - <security https="true" auth="false"/>
>> + <security https="true" auth="true"/>
>> <event type="service" invoke="getAssociatedStateList"/>
>> <response name="success" type="request" value="json"/>
>> <response name="error" type="request" value="json"/>
>>
>>
Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Deepak,
Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?
Thanks
Jacques
Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org <http://ofbiz.apache.org>
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <jleroux@apache.org <ma...@apache.org>> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new e72e134 Improved: "auth" should be true for all the request url used for Application components
> e72e134 is described below
>
> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
> Author: Jacques Le Roux <jacques.le.roux@les7arts.com <ma...@les7arts.com>>
> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>
> Improved: "auth" should be true for all the request url used for Application
> components
>
> (OFBIZ-4956)
>
> Currently there are some URLs present in application components with
> auth="false". So anyone can hit these URLs and access these resources without
> authorization.
>
> I think all the URLs should be secure with auth="true"
>
> Thanks: Amardeep Singh Jhajj for report and initial fix
> ---
> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> index 5f7031c..27a0383 100644
> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> @@ -1605,7 +1605,7 @@ under the License.
> </request-map>
>
> <request-map uri="getAssociatedStateList">
> - <security https="true" auth="false"/>
> + <security https="true" auth="true"/>
> <event type="service" invoke="getAssociatedStateList"/>
> <response name="success" type="request" value="json"/>
> <response name="error" type="request" value="json"/>
>
Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
Posted by Deepak Dixit <de...@apache.org>.
Hi Jacques,
I think we can't make auth true for getAssociatedStateList, this will break
the anon checkout flow.
Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org
On Sat, Mar 14, 2020 at 1:19 PM <jl...@apache.org> wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new e72e134 Improved: "auth" should be true for all the request url
> used for Application components
> e72e134 is described below
>
> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>
> Improved: "auth" should be true for all the request url used for
> Application
> components
>
> (OFBIZ-4956)
>
> Currently there are some URLs present in application components with
> auth="false". So anyone can hit these URLs and access these resources
> without
> authorization.
>
> I think all the URLs should be secure with auth="true"
>
> Thanks: Amardeep Singh Jhajj for report and initial fix
> ---
> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> index 5f7031c..27a0383 100644
> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> @@ -1605,7 +1605,7 @@ under the License.
> </request-map>
>
> <request-map uri="getAssociatedStateList">
> - <security https="true" auth="false"/>
> + <security https="true" auth="true"/>
> <event type="service" invoke="getAssociatedStateList"/>
> <response name="success" type="request" value="json"/>
> <response name="error" type="request" value="json"/>
>
>
Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be
true for all the request url used for Application components
Posted by Deepak Dixit <de...@apache.org>.
Hi Jacques,
I think we can't make auth true for getAssociatedStateList, this will break
the anon checkout flow.
Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org
On Sat, Mar 14, 2020 at 1:19 PM <jl...@apache.org> wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new e72e134 Improved: "auth" should be true for all the request url
> used for Application components
> e72e134 is described below
>
> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>
> Improved: "auth" should be true for all the request url used for
> Application
> components
>
> (OFBIZ-4956)
>
> Currently there are some URLs present in application components with
> auth="false". So anyone can hit these URLs and access these resources
> without
> authorization.
>
> I think all the URLs should be secure with auth="true"
>
> Thanks: Amardeep Singh Jhajj for report and initial fix
> ---
> ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> index 5f7031c..27a0383 100644
> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
> @@ -1605,7 +1605,7 @@ under the License.
> </request-map>
>
> <request-map uri="getAssociatedStateList">
> - <security https="true" auth="false"/>
> + <security https="true" auth="true"/>
> <event type="service" invoke="getAssociatedStateList"/>
> <response name="success" type="request" value="json"/>
> <response name="error" type="request" value="json"/>
>
>