[Discussion]: Add method attribute to request-map (Was: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework...)

[Shi Jinghai <hu...@hotmail.com>]

Hi all,

Thanks Jacques, Taher and Nicolas mentioned our community rule, "a proper discussion".

I created an issue "Add method attribute to request-map to controll a uri can be called GET or POST only" a week ago:
https://issues.apache.org/jira/browse/OFBIZ-10438

Thanks Mathieu, he submitted his patches very quickly while I was preparing mine. I tested them and submitted to trunk. Please be aware, the latest versions are r1834465 and r1834570, and the implement requires JDK 1.8.

Is the implement acceptable for trunk? Further improvement to do? Would we backport it to releases?

If it's not acceptable, I'll revert the implement.

Kind Regards,

Shi Jinghai


-----邮件原件-----
发件人: Paul Foxworthy [mailto:paul@cohsoft.com.au] 
发送时间: 2018年6月26日 19:31
收件人: dev@ofbiz.apache.org
主题: Re: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework: base/src/main/java/org/apache/ofbiz/base/util/collections/ webapp/config/ webapp/dtd/ webapp/src/main/java/org/apache/ofbiz/webapp/control/ webapp/src/test/java/org/apache/ofbiz/weba...

On 26 June 2018 at 17:58, Taher Alkhateeb <sl...@gmail.com>
wrote:

> I could be mistaken, but this seems like a very major change that did
> not have a thorough and proper discussion at the mailing list? I would
> rather at least have an explanation of what was committed and to
> discuss the merits and cons of the implementation.
>

Hi all,

I haven't found the specific issue, but wasn't there a major change several
years ago from GET to POST to help guard against XSS attacks?

Cheers

Paul Foxworthy

-- 
Coherent Software Australia Pty Ltd
PO Box 2773
Cheltenham Vic 3192
Australia

Phone: +61 3 9585 6788
Web: http://www.coherentsoftware.com.au/
Email: info@coherentsoftware.com.au

Re: [Discussion]: Add method attribute to request-map

[Jacques Le Roux <ja...@les7arts.com>]

Le 28/06/2018 à 09:56, Mathieu Lirzin a écrit :
> Hello Taher,
>
> Taher Alkhateeb <sl...@gmail.com> writes:
>
>> A few comments:
>>
>> 1- I would suggest to try and avoid in the future committing any
>> design changes to the framework without discussing it properly in the
>> mailing list first
> The limit between a “regular” and “design” change can sometimes hard to
> define, so I just want to emphasize the *try and avoid* part.
>
>> 2- I think it would be better to revert this work. I noticed in the
>> JIRA for example that Mathieu Lirzin asked for some time to review his
>> work when you just committed his work without checking what he wanted
>> to do, and he later provided refactoring patches.
>>
>> 3- I would recommend providing a summary of what you want to commit.
>> The commit was too long and I don't want to read line-by-line
>> everything in the code to understand what was achieved. Let's first
>> discuss in here what is being done, agree on the general direction,
>> and THEN apply a commit.
>>
>> Those are my recommendations, and I don't know about the rest of the
>> folks opinion here so I invite everyone else to have their input.
> I agree with those recommendations.
>
Yes we already established such rules long time ago.
Sometimes, maybe by laziness or eagerness, some of us tend to forget (me included I must say)
A proper discussion on the dev ML for important changes is always a good thing to do.
Thanks Taher for this clear and detailed call to order

As Mathieu outlined the line between a simple and an important change may vary depending on your POV.
In case of doubt (of course you need to have one, eagerness does not help sometimes) start a convo here ;)

Jacques

Re: [Discussion]: Add method attribute to request-map

[Mathieu Lirzin <ma...@nereide.fr>]

Hello Taher,

Taher Alkhateeb <sl...@gmail.com> writes:

> A few comments:
>
> 1- I would suggest to try and avoid in the future committing any
> design changes to the framework without discussing it properly in the
> mailing list first

The limit between a “regular” and “design” change can sometimes hard to
define, so I just want to emphasize the *try and avoid* part.

> 2- I think it would be better to revert this work. I noticed in the
> JIRA for example that Mathieu Lirzin asked for some time to review his
> work when you just committed his work without checking what he wanted
> to do, and he later provided refactoring patches.
>
> 3- I would recommend providing a summary of what you want to commit.
> The commit was too long and I don't want to read line-by-line
> everything in the code to understand what was achieved. Let's first
> discuss in here what is being done, agree on the general direction,
> and THEN apply a commit.
>
> Those are my recommendations, and I don't know about the rest of the
> folks opinion here so I invite everyone else to have their input.

I agree with those recommendations.

-- 
Mathieu Lirzin
GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37

Re: [Discussion]: Add method attribute to request-map (Was: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework...)

[Arun Patidar <ar...@hotwax.co>]

+1 Taher

On Thu, Jun 28, 2018 at 2:01 PM Michael Brohl <mi...@ecomify.de>
wrote:

> A strong +1 to your recommendations.
>
> There were several commits in the OFBiz core recently which were not
> properly discussed before they were committed. We should avoid this.
>
> People should have in mind that other committers might not have the time
> to review, think and discuss these patches in the course of a few days.
> These things are not urgent and can take their time.
>
> Thanks and regards,
>
> Michael
>
>
> Am 28.06.18 um 09:15 schrieb Taher Alkhateeb:
> > A few comments:
> >
> > 1- I would suggest to try and avoid in the future committing any
> > design changes to the framework without discussing it properly in the
> > mailing list first
> > 2- I think it would be better to revert this work. I noticed in the
> > JIRA for example that Mathieu Lirzin asked for some time to review his
> > work when you just committed his work without checking what he wanted
> > to do, and he later provided refactoring patches.
> > 3- I would recommend providing a summary of what you want to commit.
> > The commit was too long and I don't want to read line-by-line
> > everything in the code to understand what was achieved. Let's first
> > discuss in here what is being done, agree on the general direction,
> > and THEN apply a commit.
> >
> > Those are my recommendations, and I don't know about the rest of the
> > folks opinion here so I invite everyone else to have their input.
> >
> > On Thu, Jun 28, 2018 at 6:46 AM, Shi Jinghai <hu...@hotmail.com>
> wrote:
> >> Hi all,
> >>
> >> Thanks Jacques, Taher and Nicolas mentioned our community rule, "a
> proper discussion".
> >>
> >> I created an issue "Add method attribute to request-map to controll a
> uri can be called GET or POST only" a week ago:
> >> https://issues.apache.org/jira/browse/OFBIZ-10438
> >>
> >> Thanks Mathieu, he submitted his patches very quickly while I was
> preparing mine. I tested them and submitted to trunk. Please be aware, the
> latest versions are r1834465 and r1834570, and the implement requires JDK
> 1.8.
> >>
> >> Is the implement acceptable for trunk? Further improvement to do? Would
> we backport it to releases?
> >>
> >> If it's not acceptable, I'll revert the implement.
> >>
> >> Kind Regards,
> >>
> >> Shi Jinghai
> >>
> >>
> >> -----邮件原件-----
> >> 发件人: Paul Foxworthy [mailto:paul@cohsoft.com.au]
> >> 发送时间: 2018年6月26日 19:31
> >> 收件人: dev@ofbiz.apache.org
> >> 主题: Re: svn commit: r1834389 - in
> /ofbiz/ofbiz-framework/trunk/framework:
> base/src/main/java/org/apache/ofbiz/base/util/collections/ webapp/config/
> webapp/dtd/ webapp/src/main/java/org/apache/ofbiz/webapp/control/
> webapp/src/test/java/org/apache/ofbiz/weba...
> >>
> >> On 26 June 2018 at 17:58, Taher Alkhateeb <sl...@gmail.com>
> >> wrote:
> >>
> >>> I could be mistaken, but this seems like a very major change that did
> >>> not have a thorough and proper discussion at the mailing list? I would
> >>> rather at least have an explanation of what was committed and to
> >>> discuss the merits and cons of the implementation.
> >>>
> >> Hi all,
> >>
> >> I haven't found the specific issue, but wasn't there a major change
> several
> >> years ago from GET to POST to help guard against XSS attacks?
> >>
> >> Cheers
> >>
> >> Paul Foxworthy
> >>
> >> --
> >> Coherent Software Australia Pty Ltd
> >> PO Box 2773
> >> Cheltenham Vic 3192
> >> Australia
> >>
> >> Phone: +61 3 9585 6788
> >> Web: http://www.coherentsoftware.com.au/
> >> Email: info@coherentsoftware.com.au
>
>
>

-- 

Best regards,

Arun Patidar
Director of Information SystemsHotWax Commerce <http://www.hotwax.co/>

Re: [Discussion]: Add method attribute to request-map (Was: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework...)

[Michael Brohl <mi...@ecomify.de>]

A strong +1 to your recommendations.

There were several commits in the OFBiz core recently which were not 
properly discussed before they were committed. We should avoid this.

People should have in mind that other committers might not have the time 
to review, think and discuss these patches in the course of a few days. 
These things are not urgent and can take their time.

Thanks and regards,

Michael


Am 28.06.18 um 09:15 schrieb Taher Alkhateeb:
> A few comments:
>
> 1- I would suggest to try and avoid in the future committing any
> design changes to the framework without discussing it properly in the
> mailing list first
> 2- I think it would be better to revert this work. I noticed in the
> JIRA for example that Mathieu Lirzin asked for some time to review his
> work when you just committed his work without checking what he wanted
> to do, and he later provided refactoring patches.
> 3- I would recommend providing a summary of what you want to commit.
> The commit was too long and I don't want to read line-by-line
> everything in the code to understand what was achieved. Let's first
> discuss in here what is being done, agree on the general direction,
> and THEN apply a commit.
>
> Those are my recommendations, and I don't know about the rest of the
> folks opinion here so I invite everyone else to have their input.
>
> On Thu, Jun 28, 2018 at 6:46 AM, Shi Jinghai <hu...@hotmail.com> wrote:
>> Hi all,
>>
>> Thanks Jacques, Taher and Nicolas mentioned our community rule, "a proper discussion".
>>
>> I created an issue "Add method attribute to request-map to controll a uri can be called GET or POST only" a week ago:
>> https://issues.apache.org/jira/browse/OFBIZ-10438
>>
>> Thanks Mathieu, he submitted his patches very quickly while I was preparing mine. I tested them and submitted to trunk. Please be aware, the latest versions are r1834465 and r1834570, and the implement requires JDK 1.8.
>>
>> Is the implement acceptable for trunk? Further improvement to do? Would we backport it to releases?
>>
>> If it's not acceptable, I'll revert the implement.
>>
>> Kind Regards,
>>
>> Shi Jinghai
>>
>>
>> -----邮件原件-----
>> 发件人: Paul Foxworthy [mailto:paul@cohsoft.com.au]
>> 发送时间: 2018年6月26日 19:31
>> 收件人: dev@ofbiz.apache.org
>> 主题: Re: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework: base/src/main/java/org/apache/ofbiz/base/util/collections/ webapp/config/ webapp/dtd/ webapp/src/main/java/org/apache/ofbiz/webapp/control/ webapp/src/test/java/org/apache/ofbiz/weba...
>>
>> On 26 June 2018 at 17:58, Taher Alkhateeb <sl...@gmail.com>
>> wrote:
>>
>>> I could be mistaken, but this seems like a very major change that did
>>> not have a thorough and proper discussion at the mailing list? I would
>>> rather at least have an explanation of what was committed and to
>>> discuss the merits and cons of the implementation.
>>>
>> Hi all,
>>
>> I haven't found the specific issue, but wasn't there a major change several
>> years ago from GET to POST to help guard against XSS attacks?
>>
>> Cheers
>>
>> Paul Foxworthy
>>
>> --
>> Coherent Software Australia Pty Ltd
>> PO Box 2773
>> Cheltenham Vic 3192
>> Australia
>>
>> Phone: +61 3 9585 6788
>> Web: http://www.coherentsoftware.com.au/
>> Email: info@coherentsoftware.com.au

Re: [Discussion]: Add method attribute to request-map (Was: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework...)

[Jacopo Cappellato <ja...@hotwaxsystems.com>]

+1 to Taher's recommendations.

Jacopo

On Thu, Jun 28, 2018 at 9:15 AM, Taher Alkhateeb <slidingfilaments@gmail.com
> wrote:

> A few comments:
>
> 1- I would suggest to try and avoid in the future committing any
> design changes to the framework without discussing it properly in the
> mailing list first
> 2- I think it would be better to revert this work. I noticed in the
> JIRA for example that Mathieu Lirzin asked for some time to review his
> work when you just committed his work without checking what he wanted
> to do, and he later provided refactoring patches.
> 3- I would recommend providing a summary of what you want to commit.
> The commit was too long and I don't want to read line-by-line
> everything in the code to understand what was achieved. Let's first
> discuss in here what is being done, agree on the general direction,
> and THEN apply a commit.
>
> Those are my recommendations, and I don't know about the rest of the
> folks opinion here so I invite everyone else to have their input.
>
> On Thu, Jun 28, 2018 at 6:46 AM, Shi Jinghai <hu...@hotmail.com> wrote:
> > Hi all,
> >
> > Thanks Jacques, Taher and Nicolas mentioned our community rule, "a
> proper discussion".
> >
> > I created an issue "Add method attribute to request-map to controll a
> uri can be called GET or POST only" a week ago:
> > https://issues.apache.org/jira/browse/OFBIZ-10438
> >
> > Thanks Mathieu, he submitted his patches very quickly while I was
> preparing mine. I tested them and submitted to trunk. Please be aware, the
> latest versions are r1834465 and r1834570, and the implement requires JDK
> 1.8.
> >
> > Is the implement acceptable for trunk? Further improvement to do? Would
> we backport it to releases?
> >
> > If it's not acceptable, I'll revert the implement.
> >
> > Kind Regards,
> >
> > Shi Jinghai
> >
> >
> > -----邮件原件-----
> > 发件人: Paul Foxworthy [mailto:paul@cohsoft.com.au]
> > 发送时间: 2018年6月26日 19:31
> > 收件人: dev@ofbiz.apache.org
> > 主题: Re: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework:
> base/src/main/java/org/apache/ofbiz/base/util/collections/ webapp/config/
> webapp/dtd/ webapp/src/main/java/org/apache/ofbiz/webapp/control/
> webapp/src/test/java/org/apache/ofbiz/weba...
> >
> > On 26 June 2018 at 17:58, Taher Alkhateeb <sl...@gmail.com>
> > wrote:
> >
> >> I could be mistaken, but this seems like a very major change that did
> >> not have a thorough and proper discussion at the mailing list? I would
> >> rather at least have an explanation of what was committed and to
> >> discuss the merits and cons of the implementation.
> >>
> >
> > Hi all,
> >
> > I haven't found the specific issue, but wasn't there a major change
> several
> > years ago from GET to POST to help guard against XSS attacks?
> >
> > Cheers
> >
> > Paul Foxworthy
> >
> > --
> > Coherent Software Australia Pty Ltd
> > PO Box 2773
> > Cheltenham Vic 3192
> > Australia
> >
> > Phone: +61 3 9585 6788
> > Web: http://www.coherentsoftware.com.au/
> > Email: info@coherentsoftware.com.au
>

Re: [Discussion]: Add method attribute to request-map (Was: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework...)

[Taher Alkhateeb <sl...@gmail.com>]

A few comments:

1- I would suggest to try and avoid in the future committing any
design changes to the framework without discussing it properly in the
mailing list first
2- I think it would be better to revert this work. I noticed in the
JIRA for example that Mathieu Lirzin asked for some time to review his
work when you just committed his work without checking what he wanted
to do, and he later provided refactoring patches.
3- I would recommend providing a summary of what you want to commit.
The commit was too long and I don't want to read line-by-line
everything in the code to understand what was achieved. Let's first
discuss in here what is being done, agree on the general direction,
and THEN apply a commit.

Those are my recommendations, and I don't know about the rest of the
folks opinion here so I invite everyone else to have their input.

On Thu, Jun 28, 2018 at 6:46 AM, Shi Jinghai <hu...@hotmail.com> wrote:
> Hi all,
>
> Thanks Jacques, Taher and Nicolas mentioned our community rule, "a proper discussion".
>
> I created an issue "Add method attribute to request-map to controll a uri can be called GET or POST only" a week ago:
> https://issues.apache.org/jira/browse/OFBIZ-10438
>
> Thanks Mathieu, he submitted his patches very quickly while I was preparing mine. I tested them and submitted to trunk. Please be aware, the latest versions are r1834465 and r1834570, and the implement requires JDK 1.8.
>
> Is the implement acceptable for trunk? Further improvement to do? Would we backport it to releases?
>
> If it's not acceptable, I'll revert the implement.
>
> Kind Regards,
>
> Shi Jinghai
>
>
> -----邮件原件-----
> 发件人: Paul Foxworthy [mailto:paul@cohsoft.com.au]
> 发送时间: 2018年6月26日 19:31
> 收件人: dev@ofbiz.apache.org
> 主题: Re: svn commit: r1834389 - in /ofbiz/ofbiz-framework/trunk/framework: base/src/main/java/org/apache/ofbiz/base/util/collections/ webapp/config/ webapp/dtd/ webapp/src/main/java/org/apache/ofbiz/webapp/control/ webapp/src/test/java/org/apache/ofbiz/weba...
>
> On 26 June 2018 at 17:58, Taher Alkhateeb <sl...@gmail.com>
> wrote:
>
>> I could be mistaken, but this seems like a very major change that did
>> not have a thorough and proper discussion at the mailing list? I would
>> rather at least have an explanation of what was committed and to
>> discuss the merits and cons of the implementation.
>>
>
> Hi all,
>
> I haven't found the specific issue, but wasn't there a major change several
> years ago from GET to POST to help guard against XSS attacks?
>
> Cheers
>
> Paul Foxworthy
>
> --
> Coherent Software Australia Pty Ltd
> PO Box 2773
> Cheltenham Vic 3192
> Australia
>
> Phone: +61 3 9585 6788
> Web: http://www.coherentsoftware.com.au/
> Email: info@coherentsoftware.com.au