OFBiz OFBiz - Dev

Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Jacques Le Roux
Administrator

Hi Deepak,

Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?

Thanks

Jacques

Le 16/03/2020 à 06:49, Deepak Dixit a écrit :

> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org <http://ofbiz.apache.org>
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <[hidden email] <mailto:[hidden email]>> wrote:
>
>     This is an automated email from the ASF dual-hosted git repository.
>
>     jleroux pushed a commit to branch trunk
>     in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>
>
>     The following commit(s) were added to refs/heads/trunk by this push:
>          new e72e134  Improved: "auth" should be true for all the request url used for Application components
>     e72e134 is described below
>
>     commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>     Author: Jacques Le Roux <[hidden email] <mailto:[hidden email]>>
>     AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>
>         Improved: "auth" should be true for all the request url used for Application
>         components
>
>         (OFBIZ-4956)
>
>         Currently there are some URLs present in application components with
>         auth="false". So anyone can hit these URLs and access these resources without
>         authorization.
>
>         I think all the URLs should be secure with auth="true"
>
>         Thanks: Amardeep Singh Jhajj for report and initial fix
>     ---
>      ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>      1 file changed, 1 insertion(+), 1 deletion(-)
>
>     diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>     index 5f7031c..27a0383 100644
>     --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>     +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>     @@ -1605,7 +1605,7 @@ under the License.
>          </request-map>
>
>          <request-map uri="getAssociatedStateList">
>     -        <security https="true" auth="false"/>
>     +        <security https="true" auth="true"/>
>              <event type="service" invoke="getAssociatedStateList"/>
>              <response name="success" type="request" value="json"/>
>              <response name="error" type="request" value="json"/>
>
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Jacques Le Roux
Administrator
Oops, right indeed, I did not think about the anon checkout flow in ecommerce.

I think I'll duplicate and make one only false in ecommerce

Jacques

Le 16/03/2020 à 09:21, Jacques Le Roux a écrit :

>
> Hi Deepak,
>
> Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?
>
> Thanks
>
> Jacques
>
> Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
>> Hi Jacques,
>>
>> I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
>>
>> Thanks & Regards
>> --
>> Deepak Dixit
>> ofbiz.apache.org <http://ofbiz.apache.org>
>>
>>
>> On Sat, Mar 14, 2020 at 1:19 PM <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>     This is an automated email from the ASF dual-hosted git repository.
>>
>>     jleroux pushed a commit to branch trunk
>>     in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>>
>>
>>     The following commit(s) were added to refs/heads/trunk by this push:
>>          new e72e134  Improved: "auth" should be true for all the request url used for Application components
>>     e72e134 is described below
>>
>>     commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>>     Author: Jacques Le Roux <[hidden email] <mailto:[hidden email]>>
>>     AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>>
>>         Improved: "auth" should be true for all the request url used for Application
>>         components
>>
>>         (OFBIZ-4956)
>>
>>         Currently there are some URLs present in application components with
>>         auth="false". So anyone can hit these URLs and access these resources without
>>         authorization.
>>
>>         I think all the URLs should be secure with auth="true"
>>
>>         Thanks: Amardeep Singh Jhajj for report and initial fix
>>     ---
>>      ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>>      1 file changed, 1 insertion(+), 1 deletion(-)
>>
>>     diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>>     index 5f7031c..27a0383 100644
>>     --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>>     +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>>     @@ -1605,7 +1605,7 @@ under the License.
>>          </request-map>
>>
>>          <request-map uri="getAssociatedStateList">
>>     -        <security https="true" auth="false"/>
>>     +        <security https="true" auth="true"/>
>>              <event type="service" invoke="getAssociatedStateList"/>
>>              <response name="success" type="request" value="json"/>
>>              <response name="error" type="request" value="json"/>
>>
Free forum by Nabble Edit this page