You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Amardeep Singh Jhajj (JIRA)" <ji...@apache.org> on 2012/07/07 14:10:34 UTC
[jira] [Created] (OFBIZ-4956) "auth" should be true for all the
request url used for Application components.
Amardeep Singh Jhajj created OFBIZ-4956:
-------------------------------------------
Summary: "auth" should be true for all the request url used for Application components.
Key: OFBIZ-4956
URL: https://issues.apache.org/jira/browse/OFBIZ-4956
Project: OFBiz
Issue Type: Improvement
Components: ALL APPLICATIONS
Reporter: Amardeep Singh Jhajj
Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4956) "auth" should be true for all the
request url used for Application components.
Posted by "Amardeep Singh Jhajj (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420462#comment-13420462 ]
Amardeep Singh Jhajj commented on OFBIZ-4956:
---------------------------------------------
Hi Jacques,
I didn't check each one by one due to time shortage but checked many of them. But we need to make sure that application components urls should only accessed by authorized users. As I mentioned the example url above that can be access by anyone which is bad.
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4956) "auth" should be true for all the
request url used for Application components.
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13414607#comment-13414607 ]
Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------
Hi Amardeep,
Did not review anything yet (just a glance). Did you check them one by one, did you think about reasons those requests could not need to use auth, or even should not need?
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (OFBIZ-4956) "auth" should be true for all the
request url used for Application components.
Posted by "Amardeep Singh Jhajj (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Amardeep Singh Jhajj updated OFBIZ-4956:
----------------------------------------
Attachment: OFBIZ-4956.patch
OFBIZ-4956-Release-11.04.patch
OFBIZ-4956-Release-10.04.patch
Patch attached for Release branches and trunk.
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (OFBIZ-4956) "auth" should be true for all the
request url used for Application components.
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420497#comment-13420497 ]
Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------
I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (OFBIZ-4956) "auth" should be true for all
the request url used for Application components.
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420497#comment-13420497 ]
Jacques Le Roux edited comment on OFBIZ-4956 at 7/23/12 8:13 AM:
-----------------------------------------------------------------
== ADD INFO ==
I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
Like those in ordermgr, eg:
* getAssociatedStateList
* crosssell
was (Author: jacques.le.roux):
I just want to be sure that, for instance, none are called from eCommerce where an user can be anonymous... Could you check that?
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL: https://issues.apache.org/jira/browse/OFBIZ-4956
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Reporter: Amardeep Singh Jhajj
> Fix For: Release Branch 10.04, Release Branch 11.04, SVN trunk, Release Branch 12.04
>
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira