You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/04 15:59:21 UTC
[ofbiz-framework] 01/26: Improved: "auth" should be true for all
the request url used for Application components
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 6c49411ee7914e3aff8e31c802bff0721361abef
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Mar 14 08:51:06 2020 +0100
Improved: "auth" should be true for all the request url used for Application
components
(OFBIZ-4956)
Currently there are some URLs present in application components with
auth="false". So anyone can hit these URLs and access these resources without
authorization.
I think all the URLs should be secure with auth="true"
jleroux: I have also fixed the dataResourceId="GZ-DIG"
Thanks: Amardeep Singh Jhajj for report and initial fix
---
applications/accounting/webapp/accounting/WEB-INF/controller.xml | 6 +++---
applications/content/webapp/content/WEB-INF/controller.xml | 4 ++--
applications/datamodel/data/demo/OrderDemoData.xml | 2 +-
applications/humanres/webapp/humanres/WEB-INF/controller.xml | 2 +-
.../manufacturing/webapp/manufacturing/WEB-INF/controller.xml | 2 +-
applications/marketing/webapp/marketing/WEB-INF/controller.xml | 2 +-
applications/order/webapp/ordermgr/WEB-INF/controller.xml | 8 ++++----
applications/party/webapp/partymgr/WEB-INF/controller.xml | 8 ++++----
applications/product/webapp/catalog/WEB-INF/controller.xml | 6 +++---
applications/product/webapp/facility/WEB-INF/controller.xml | 2 +-
framework/common/webcommon/WEB-INF/common-controller.xml | 2 +-
11 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/applications/accounting/webapp/accounting/WEB-INF/controller.xml b/applications/accounting/webapp/accounting/WEB-INF/controller.xml
index a692b46..7116519 100644
--- a/applications/accounting/webapp/accounting/WEB-INF/controller.xml
+++ b/applications/accounting/webapp/accounting/WEB-INF/controller.xml
@@ -874,7 +874,7 @@ under the License.
<!-- =============== Fixed Asset mapping =================-->
<request-map uri="ListFixedAssets"><security https="true" auth="true"/><response name="success" type="view" value="ListFixedAssets"/></request-map>
- <request-map uri="FixedAssetSearchResults"><security https="true" auth="false"/><response name="success" type="view" value="FixedAssetSearchResults"/></request-map>
+ <request-map uri="FixedAssetSearchResults"><security https="true" auth="true"/><response name="success" type="view" value="FixedAssetSearchResults"/></request-map>
<request-map uri="EditFixedAsset"><security https="true" auth="true"/><response name="success" type="view" value="EditFixedAsset"/></request-map>
<request-map uri="createFixedAsset">
<security https="true" auth="true"/>
@@ -2030,7 +2030,7 @@ under the License.
<response name="error" type="request" value="json"/>
</request-map>
<request-map uri="reconcileFinAccountTrans">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service-multi" invoke="reconcileFinAccountTrans"/>
<response name="success" type="view" value="BankReconciliation"/>
<response name="error" type="view" value="BankReconciliation"/>
@@ -2066,7 +2066,7 @@ under the License.
<response name="error" type="view" value="ViewGlReconciliationWithTransaction"/>
</request-map>
<request-map uri="assignGlRecToFinAccTrans">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service-multi" invoke="assignGlRecToFinAccTrans"/>
<response name="success" type="view" value="FindFinAccountTrans"/>
<response name="error" type="view" value="FindFinAccountTrans"/>
diff --git a/applications/content/webapp/content/WEB-INF/controller.xml b/applications/content/webapp/content/WEB-INF/controller.xml
index 0732b6c..468cfbd 100644
--- a/applications/content/webapp/content/WEB-INF/controller.xml
+++ b/applications/content/webapp/content/WEB-INF/controller.xml
@@ -1029,7 +1029,7 @@ under the License.
</request-map>
<request-map uri="UploadImage"><security auth="true" https="true"/><response name="success" type="view" value="UploadImage"/></request-map>
<request-map uri="img">
- <security auth="false" https="false"/>
+ <security auth="true" https="true"/>
<event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveImage"/>
<response name="success" type="none"/>
<response name="error" type="request" value="main"/>
@@ -1756,7 +1756,7 @@ under the License.
<!-- ================ SimpleContent Requests ================= -->
<request-map uri="ViewSimpleContent">
- <security auth="false" https="false"/>
+ <security auth="true" https="true"/>
<response name="success" type="view" value="ViewSimpleContent"/>
</request-map>
diff --git a/applications/datamodel/data/demo/OrderDemoData.xml b/applications/datamodel/data/demo/OrderDemoData.xml
index 6b4929b..04bcc3e 100644
--- a/applications/datamodel/data/demo/OrderDemoData.xml
+++ b/applications/datamodel/data/demo/OrderDemoData.xml
@@ -792,7 +792,7 @@ under the License.
<!-- test Digital Download product -->
<Product productId="GZ-DIG" productTypeId="DIGITAL_GOOD" primaryProductCategoryId="101" productName="Digital Gizmo" internalName="Digital Gizmo" description="A digital gizmo: can be downloaded immediately after purchase." longDescription="This gizmo is part of an exciting new breed that needs no corporeal form: it is all digital! Buy and download it now!" taxable="Y" chargeShipping="N" autoCreateKeywords="Y" isVirtual="N" isVariant="N" createdDate="2001-05-13 12:00:00.0" createdByUse [...]
- <DataResource dataResourceId="GZ-DIG" dataResourceTypeId="OFBIZ_FILE_BIN" mimeTypeId="image/gif" dataResourceName="Digital Gizmo Image" objectInfo="themes/common/webapp/images/ofbiz_logo.png"/>
+ <DataResource dataResourceId="GZ-DIG" dataResourceTypeId="OFBIZ_FILE_BIN" mimeTypeId="image/gif" dataResourceName="Digital Gizmo Image" objectInfo="themes/common-theme/webapp/images/ofbiz_logo.png"/>
<DataResource dataResourceTypeId="ELECTRONIC_TEXT" dataResourceId="GZ-DIG-ALT" localeString="en"/>
<DataResource dataResourceTypeId="ELECTRONIC_TEXT" dataResourceId="DRGZ-DIG-ALTEN" localeString="en_US"/>
<ElectronicText dataResourceId="GZ-DIG-ALT" textData="digital-gizmo"/>
diff --git a/applications/humanres/webapp/humanres/WEB-INF/controller.xml b/applications/humanres/webapp/humanres/WEB-INF/controller.xml
index fb8810c..fc137a9 100644
--- a/applications/humanres/webapp/humanres/WEB-INF/controller.xml
+++ b/applications/humanres/webapp/humanres/WEB-INF/controller.xml
@@ -40,7 +40,7 @@ under the License.
<!-- Request Mappings -->
<request-map uri="view">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="request" value="main"/>
</request-map>
diff --git a/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml b/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
index 9550502..4948591 100644
--- a/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
+++ b/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
@@ -39,7 +39,7 @@ under the License.
<!-- Request Mappings -->
<request-map uri="view">
- <security https="false" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="request" value="main"/>
</request-map>
diff --git a/applications/marketing/webapp/marketing/WEB-INF/controller.xml b/applications/marketing/webapp/marketing/WEB-INF/controller.xml
index de47863..7221e3a 100644
--- a/applications/marketing/webapp/marketing/WEB-INF/controller.xml
+++ b/applications/marketing/webapp/marketing/WEB-INF/controller.xml
@@ -305,7 +305,7 @@ under the License.
<response name="error" type="request-redirect" value="FindImportContactListParties"/>
</request-map>
<request-map uri="contactListOptOut" track-serverhit="false" track-visit="false">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service" invoke="updateContactListPartyNoUserLogin"/>
<response name="success" type="view" value="ContactListOptOut"/>
</request-map>
diff --git a/applications/order/webapp/ordermgr/WEB-INF/controller.xml b/applications/order/webapp/ordermgr/WEB-INF/controller.xml
index 2d4cce3..10c5d3c 100644
--- a/applications/order/webapp/ordermgr/WEB-INF/controller.xml
+++ b/applications/order/webapp/ordermgr/WEB-INF/controller.xml
@@ -39,7 +39,7 @@ under the License.
<!-- Request Mappings -->
<request-map uri="view">
- <security https="false" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="request" value="main"/>
</request-map>
@@ -229,7 +229,7 @@ under the License.
</request-map>
<request-map uri="getConfigDetailsEvent">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="java" path="org.apache.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
<response name="success" type="request" value="json"/>
<response name="error" type="request" value="json"/>
@@ -596,7 +596,7 @@ under the License.
<response name="success" type="view" value="AddGiftCertificate"/>
</request-map>
<request-map uri="addGiftCertificateSurvey">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.apache.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="request" value="additem"/>
<response name="error" type="view" value="AddGiftCertificate"/>
@@ -1794,7 +1794,7 @@ under the License.
</request-map>
<request-map uri="crosssell">
- <security https="false" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="view" value="product"/>
</request-map>
diff --git a/applications/party/webapp/partymgr/WEB-INF/controller.xml b/applications/party/webapp/partymgr/WEB-INF/controller.xml
index a9bee45..1936fca 100644
--- a/applications/party/webapp/partymgr/WEB-INF/controller.xml
+++ b/applications/party/webapp/partymgr/WEB-INF/controller.xml
@@ -41,7 +41,7 @@ under the License.
-->
<!-- Request Mappings -->
- <request-map uri="view"><security https="true" auth="false"/><response name="success" type="request" value="main"/></request-map>
+ <request-map uri="view"><security https="true" auth="true"/><response name="success" type="request" value="main"/></request-map>
<request-map uri="main"><security https="true" auth="true"/><response name="success" type="view" value="main"/></request-map>
@@ -995,7 +995,7 @@ under the License.
<!-- ================ SimpleContent Requests ================= -->
<request-map uri="ViewSimpleContent">
- <security auth="false" https="false"/>
+ <security auth="true" https="true"/>
<response name="success" type="view" value="ViewSimpleContent"/>
</request-map>
@@ -1050,7 +1050,7 @@ under the License.
</request-map>
<request-map uri="img">
- <security auth="false" https="false"/>
+ <security auth="true" https="true"/>
<event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveImage"/>
<response name="success" type="none"/>
<response name="error" type="request" value="main"/>
@@ -1342,7 +1342,7 @@ under the License.
<!-- external communication event; mark as read using 1px image request -->
<request-map uri="ceimages" track-serverhit="false" track-visit="false">
- <security https="false" auth="false"/>
+ <security https="false" auth="true"/>
<event type="java" path="org.apache.ofbiz.party.communication.CommunicationEventServices" invoke="markCommunicationAsRead"/>
<response name="success" type="none"/>
</request-map>
diff --git a/applications/product/webapp/catalog/WEB-INF/controller.xml b/applications/product/webapp/catalog/WEB-INF/controller.xml
index 65257f2..496f99b 100644
--- a/applications/product/webapp/catalog/WEB-INF/controller.xml
+++ b/applications/product/webapp/catalog/WEB-INF/controller.xml
@@ -1922,7 +1922,7 @@ under the License.
<!-- Get Values options associated with a Price Rule Condition Input -->
<request-map uri="getAssociatedPriceRulesConds">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service" invoke="getAssociatedPriceRulesConds"/>
<response name="success" type="request" value="json"/>
<response name="error" type="request" value="json"/>
@@ -2836,7 +2836,7 @@ under the License.
</response>
</request-map>
<request-map uri="viewImage">
- <security https="false" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="view" value="viewImage"/>
<response name="error" type="view" value="viewImage"/>
</request-map>
@@ -3031,7 +3031,7 @@ under the License.
<response name="error" type="request" value="json"/>
</request-map>
<request-map uri="listMiniproduct">
- <security auth="false" https="true"/>
+ <security auth="true" https="true"/>
<response name="success" type="view" value="listMiniproduct"/>
</request-map>
diff --git a/applications/product/webapp/facility/WEB-INF/controller.xml b/applications/product/webapp/facility/WEB-INF/controller.xml
index 0ddf8e0..35cb285 100644
--- a/applications/product/webapp/facility/WEB-INF/controller.xml
+++ b/applications/product/webapp/facility/WEB-INF/controller.xml
@@ -53,7 +53,7 @@ under the License.
<response name="success" type="view" value="FindFacility"/>
</request-map>
<request-map uri="FacilitySearchResults">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<response name="success" type="view" value="FacilitySearchResults"/>
</request-map>
<request-map uri="EditFacility">
diff --git a/framework/common/webcommon/WEB-INF/common-controller.xml b/framework/common/webcommon/WEB-INF/common-controller.xml
index b2cd339..46fa551 100644
--- a/framework/common/webcommon/WEB-INF/common-controller.xml
+++ b/framework/common/webcommon/WEB-INF/common-controller.xml
@@ -237,7 +237,7 @@ under the License.
<!--========================== AJAX events =====================-->
<!-- Get states related to a country -->
<request-map uri="getAssociatedStateList">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service" invoke="getAssociatedStateList"/>
<response name="success" type="request" value="json"/>
<response name="error" type="request" value="json"/>