You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/04/01 19:39:18 UTC
secure confirmAction.patch
As I'm busy and focused on securing URLs, I need a little help to avoid searching by myself.
My worry is
Index: applications/party/widget/partymgr/PartyMenus.xml
===================================================================
--- applications/party/widget/partymgr/PartyMenus.xml (revision 760815)
+++ applications/party/widget/partymgr/PartyMenus.xml (working copy)
@@ -260,7 +260,10 @@
<condition>
<if-compare field="parameters.all" operator="equals" value="true" />
</condition>
- <link target="${bsh:session.getAttribute("_LAST_VIEW_NAME_")}?portalPageId=${parameters.portalPageId}&all=false" />
+ <link target="${session.getAttribute("_LAST_VIEW_NAME_")}" >
+ <parameter param-name="portalPageId" from-field="parameters.portalPageId"/>
+ <parameter param-name="all" value="false"/>
+ </link>
</menu-item>
<menu-item name="allOtherEvents" title="${uiLabelMap.PartyAllEvents}">
<condition>
@@ -269,7 +272,10 @@
<if-empty field="parameters.all"/>
</or>
</condition>
- <link target="${bsh:session.getAttribute("_LAST_VIEW_NAME_")}?portalPageId=${parameters.portalPageId}&all=true" />
+ <link target="${session.getAttribute("_LAST_VIEW_NAME_")}" >
+ <parameter param-name="portalPageId" from-field="parameters.portalPageId"/>
+ <parameter param-name="all" value="true"/>
+ </link>
</menu-item>
</menu>
<menu name="MyCommSubTabBar" menu-container-style="button-bar button-style-2">
Index: specialpurpose/mypage/widget/MyPageMenus.xml
===================================================================
--- specialpurpose/mypage/widget/MyPageMenus.xml (revision 760815)
+++ specialpurpose/mypage/widget/MyPageMenus.xml (working copy)
@@ -154,7 +154,10 @@
<condition>
<if-compare field="parameters.all" operator="equals" value="true" />
</condition>
- <link target="${parameters.donePage}?donePage=${parameters.donePage}&all=false" />
+ <link target="${parameters.donePage}" >
+ <parameter param-name="donePage" from-field="parameters.donePage"/>
+ <parameter param-name="all" value="false"/>
+ </link>
</menu-item>
<menu-item name="allOtherEvents" title="${uiLabelMap.MyPageAllEvents}">
<condition>
@@ -163,7 +166,10 @@
<if-empty field="parameters.all"/>
</or>
</condition>
- <link target="${parameters.donePage}?donePage=${parameters.donePage}&all=true" />
+ <link target="${parameters.donePage}" >
+ <parameter param-name="donePage" from-field="parameters.donePage"/>
+ <parameter param-name="all" value="true"/>
+ </link>
</menu-item>
</menu>
Thanks
Jacques
Re: secure confirmAction.patch
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Hans,
I saw that you fixed PartyMenus.xml in r761221
Thanks for that, but please tell me when you do that, it 's easier for me to track work to be done after.
I guess MyPageMenus.xml is ok but not sure since I did not clearly find (actually I gave up) where it's used from UI though I saw
it's used in some places.
Jacques
From: "Jacques Le Roux" <ja...@les7arts.com>
As I'm busy and focused on securing URLs, I need a little help to avoid searching by myself.
My worry is
Index: applications/party/widget/partymgr/PartyMenus.xml
===================================================================
--- applications/party/widget/partymgr/PartyMenus.xml (revision 760815)
+++ applications/party/widget/partymgr/PartyMenus.xml (working copy)
@@ -260,7 +260,10 @@
<condition>
<if-compare field="parameters.all" operator="equals" value="true" />
</condition>
- <link
target="${bsh:session.getAttribute("_LAST_VIEW_NAME_")}?portalPageId=${parameters.portalPageId}&all=false" />
+ <link target="${session.getAttribute("_LAST_VIEW_NAME_")}" >
+ <parameter param-name="portalPageId" from-field="parameters.portalPageId"/>
+ <parameter param-name="all" value="false"/>
+ </link>
</menu-item>
<menu-item name="allOtherEvents" title="${uiLabelMap.PartyAllEvents}">
<condition>
@@ -269,7 +272,10 @@
<if-empty field="parameters.all"/>
</or>
</condition>
- <link
target="${bsh:session.getAttribute("_LAST_VIEW_NAME_")}?portalPageId=${parameters.portalPageId}&all=true" />
+ <link target="${session.getAttribute("_LAST_VIEW_NAME_")}" >
+ <parameter param-name="portalPageId" from-field="parameters.portalPageId"/>
+ <parameter param-name="all" value="true"/>
+ </link>
</menu-item>
</menu>
<menu name="MyCommSubTabBar" menu-container-style="button-bar button-style-2">
Index: specialpurpose/mypage/widget/MyPageMenus.xml
===================================================================
--- specialpurpose/mypage/widget/MyPageMenus.xml (revision 760815)
+++ specialpurpose/mypage/widget/MyPageMenus.xml (working copy)
@@ -154,7 +154,10 @@
<condition>
<if-compare field="parameters.all" operator="equals" value="true" />
</condition>
- <link target="${parameters.donePage}?donePage=${parameters.donePage}&all=false" />
+ <link target="${parameters.donePage}" >
+ <parameter param-name="donePage" from-field="parameters.donePage"/>
+ <parameter param-name="all" value="false"/>
+ </link>
</menu-item>
<menu-item name="allOtherEvents" title="${uiLabelMap.MyPageAllEvents}">
<condition>
@@ -163,7 +166,10 @@
<if-empty field="parameters.all"/>
</or>
</condition>
- <link target="${parameters.donePage}?donePage=${parameters.donePage}&all=true" />
+ <link target="${parameters.donePage}" >
+ <parameter param-name="donePage" from-field="parameters.donePage"/>
+ <parameter param-name="all" value="true"/>
+ </link>
</menu-item>
</menu>
Thanks
Jacques