OFBiz › OFBiz - Dev

ajaxAutocompleteOptions screen

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

Jacques Le Roux

ajaxAutocompleteOptions screen

Administrator

Hi,

I wonder about this in ajaxAutocompleteOptions screen framework/common/widget/CommonScreens.xml
<<FindAutocompleteOptions.groovy FIXME: Disabled because it represents a security hole.>>

Should we care about it, or simply remove the commentted out snippet?

Thanks

Jacques

Bilgin Ibryam-2

Re: ajaxAutocompleteOptions screen

On Fri, Dec 17, 2010 at 9:12 AM, Jacques Le Roux <
[hidden email]> wrote:

> Hi,
>
> I wonder about this in ajaxAutocompleteOptions screen
> framework/common/widget/CommonScreens.xml
> <<FindAutocompleteOptions.groovy FIXME: Disabled because it represents a
> security hole.>>
>
> Should we care about it, or simply remove the commentted out snippet?
>
> Thanks
>
> Jacques
>
>

You can remove the comment without worries. It applies to the old version of
the FindAutocompleteOptions.groovy where entityName was retrieved from
parameters, thus allowing users to query any entity.

Bilgin

Jacques Le Roux

Re: ajaxAutocompleteOptions screen

Administrator

From: "Bilgin Ibryam" <[hidden email]>

> On Fri, Dec 17, 2010 at 9:12 AM, Jacques Le Roux <
> [hidden email]> wrote:
>
>> Hi,
>>
>> I wonder about this in ajaxAutocompleteOptions screen
>> framework/common/widget/CommonScreens.xml
>> <<FindAutocompleteOptions.groovy FIXME: Disabled because it represents a
>> security hole.>>
>>
>> Should we care about it, or simply remove the commentted out snippet?
>>
>> Thanks
>>
>> Jacques
>>
>>
> You can remove the comment without worries. It applies to the old version of
> the FindAutocompleteOptions.groovy where entityName was retrieved from
> parameters, thus allowing users to query any entity.
>
> Bilgin

Thanks Bilgin,

Done at r1055370

Jacques