You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ja...@apache.org on 2008/05/23 22:57:28 UTC
svn commit: r659658 - in /ofbiz/trunk/framework: common/widget/
example/webapp/example/WEB-INF/ example/webapp/example/WEB-INF/actions/
example/webapp/example/WEB-INF/actions/includes/ example/widget/example/
Author: jacopoc
Date: Fri May 23 13:57:27 2008
New Revision: 659658
URL: http://svn.apache.org/viewvc?rev=659658&view=rev
Log:
Fix for security hole I have introduced while working on the Ajax autocompleter fields.
This is a temporary approach that can be improved.
Added:
ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/
ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/
ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh (with props)
Modified:
ofbiz/trunk/framework/common/widget/CommonScreens.xml
ofbiz/trunk/framework/example/webapp/example/WEB-INF/controller.xml
ofbiz/trunk/framework/example/widget/example/ExampleForms.xml
Modified: ofbiz/trunk/framework/common/widget/CommonScreens.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/widget/CommonScreens.xml?rev=659658&r1=659657&r2=659658&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/widget/CommonScreens.xml (original)
+++ ofbiz/trunk/framework/common/widget/CommonScreens.xml Fri May 23 13:57:27 2008
@@ -93,11 +93,15 @@
<screen name="ajaxAutocompleteOptions">
<section>
<actions>
+ <set field="autocompleteOptions" from-field="parameters.autocompleteOptions"/>
+ <!--
+ FIXME: Disabled because it represents a security hole.
<set field="entityName" from-field="parameters.entityName"/>
<set field="fieldName" from-field="parameters.fieldName"/>
<set field="selectFields" from-field="parameters.selectFields"/>
<set field="sortByFields" from-field="parameters.sortByFields"/>
<script location="component://common/webcommon/WEB-INF/actions/includes/findAutocompleteOptions.bsh"/>
+ -->
</actions>
<widgets>
<platform-specific><html><html-template location="component://common/webcommon/includes/ajaxAutocompleteOptions.ftl"/></html></platform-specific>
Added: ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh?rev=659658&view=auto
==============================================================================
--- ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh (added)
+++ ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh Fri May 23 13:57:27 2008
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.util.TreeSet;
+import javolution.util.FastList;
+import org.ofbiz.entity.condition.EntityConditionList;
+import org.ofbiz.entity.condition.EntityExpr;
+import org.ofbiz.entity.condition.EntityFieldValue;
+import org.ofbiz.entity.condition.EntityFunction;
+import org.ofbiz.entity.condition.EntityOperator;
+import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilValidate;
+
+delegator = request.getAttribute("delegator");
+
+andExprs = FastList.newInstance();
+fieldValue = request.getParameter("exampleFeatureId");
+if (UtilValidate.isNotEmpty(fieldValue)) {
+ andExprs.add(new EntityExpr(new EntityFunction.UPPER(new EntityFieldValue("exampleFeatureId")),
+ EntityOperator.LIKE, "%" + fieldValue.toUpperCase() + "%"));
+}
+
+List autocompleteOptions = null;
+if (andExprs.size() > 0) {
+ entityConditionList = new EntityConditionList(andExprs, EntityOperator.AND);
+ autocompleteOptions = delegator.findList("ExampleFeature", entityConditionList, new TreeSet(UtilMisc.toList("exampleFeatureId", "description")), UtilMisc.toList("-exampleFeatureId"), null, false);
+ //context.put("autocompleteOptions", autocompleteOptions);
+ request.setAttribute("autocompleteOptions", autocompleteOptions);
+}
+return "success";
\ No newline at end of file
Propchange: ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/trunk/framework/example/webapp/example/WEB-INF/actions/includes/findExampleFeatures.bsh
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: ofbiz/trunk/framework/example/webapp/example/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/example/webapp/example/WEB-INF/controller.xml?rev=659658&r1=659657&r2=659658&view=diff
==============================================================================
--- ofbiz/trunk/framework/example/webapp/example/WEB-INF/controller.xml (original)
+++ ofbiz/trunk/framework/example/webapp/example/WEB-INF/controller.xml Fri May 23 13:57:27 2008
@@ -28,6 +28,8 @@
<description>Example Component Site Configuration File</description>
<owner>Copyright 2001-2008 The Apache Software Foundation</owner>
+ <handler name="bsf" type="request" class="org.ofbiz.webapp.event.BsfEventHandler"/>
+
<!--
These can be used to return the reports as views; make sure the classes are compiled and available
<handler name="datavision" type="view" class="org.ofbiz.webapp.view.DataVisionViewHandler"/>
@@ -154,6 +156,12 @@
<response name="success" type="view" value="EditExampleFeatureExampleAppls"/>
<response name="error" type="view" value="EditExampleFeatureExampleAppls"/>
</request-map>
+ <request-map uri="findExampleFeatures">
+ <security https="true" auth="true"/>
+ <event type="bsf" path="/WEB-INF/actions/includes/" invoke="findExampleFeatures.bsh"/>
+ <response name="success" type="view" value="ajaxAutocompleteOptions"/>
+ <response name="error" type="view" value="ajaxAutocompleteOptions"/>
+ </request-map>
<request-map uri="FormWidgetExamples"><security https="true" auth="true"/><response name="success" type="view" value="FormWidgetExamples"/></request-map>
Modified: ofbiz/trunk/framework/example/widget/example/ExampleForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/example/widget/example/ExampleForms.xml?rev=659658&r1=659657&r2=659658&view=diff
==============================================================================
--- ofbiz/trunk/framework/example/widget/example/ExampleForms.xml (original)
+++ ofbiz/trunk/framework/example/widget/example/ExampleForms.xml Fri May 23 13:57:27 2008
@@ -173,7 +173,7 @@
<form name="AddExampleFeatureAppl" type="single" target="example_createExampleFeatureAppl" title="">
<auto-fields-service service-name="createExampleFeatureAppl"/>
<field name="exampleId"><hidden/></field>
- <field name="exampleFeatureId" id-name="exampleFeatureId"><text server-autocomplete-target="ajaxAutocompleteOptions" server-autocomplete-params="entityName=ExampleFeature&fieldName=exampleFeatureId&selectFields=[exampleFeatureId, description]&sortByFields=[-exampleFeatureId]"></text></field>
+ <field name="exampleFeatureId" id-name="exampleFeatureId"><text server-autocomplete-target="findExampleFeatures"></text></field>
<!-- <field name="exampleFeatureId" title="${uiLabelMap.ExampleFeature}" id-name="exampleFeatureId"><lookup target-form-name="LookupExampleFeature"/></field> -->
<field name="exampleFeatureApplTypeId" title="${uiLabelMap.CommonType}">
<drop-down allow-empty="false">