You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2012/07/23 10:14:35 UTC

[jira] [Comment Edited] (OFBIZ-4956) "auth" should be true for all the request url used for Application components.

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420497#comment-13420497 ] 

Jacques Le Roux edited comment on OFBIZ-4956 at 7/23/12 8:13 AM:
-----------------------------------------------------------------

== ADD INFO ==
I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
Like those in ordermgr, eg:
* getAssociatedStateList
* crosssell
                
      was (Author: jacques.le.roux):
    I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
                  
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4956
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4956
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>            Reporter: Amardeep Singh Jhajj
>             Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
>         Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization. 
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components. 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira