[jira] [Closed] (OFBIZ-4956) "auth" should be true for all the request url used for Application components.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Closed] (OFBIZ-4956) "auth" should be true for all the request url used for Application components.

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-4956.
----------------------------------
    Resolution: Won't Do

I have checked all request-maps with auth="false" but only 20 in ecommerce and wepos and I found any issues.

Now, as auth="false" is the default, I can't say I reviewed all cases. But with the ones I did already I think we are safe because the cases are:
* action (direct, or bysubmit or Ajax) needs either auth or role permission
* in ecommerce anonymous users should be able to do things

Conclusion this action is useless, closing as won't do

> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
>                 Key: OFBIZ-4956
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4956
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 11.04, Release Branch 12.04, Release Branch 13.07, Trunk
>            Reporter: Amardeep Singh Jhajj
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example - https://demo-trunk.ofbiz.apache.org/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)