[
https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085883#comment-17085883 ]
Jacques Le Roux commented on OFBIZ-4956:
----------------------------------------
I made some related points in
https://markmail.org/message/chklzrmhskvbspzv, notably
bq. I don't think there is a need to systematise a default to csrf-token="false" when auth="false". I just want to work on OFBIZ-4956 and while doing so check that if we change auth="false" to true, as it implies csrf-token="true", there will not be undesired side effects. And in other cases (auth="false" must remain) we need to decide if should set the CSRF token check to false.
> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>
> Key: OFBIZ-4956
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4956> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
> Affects Versions: Release Branch 11.04, Release Branch 12.04, Release Branch 13.07, Trunk
> Reporter: Amardeep Singh Jhajj
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch, OFBIZ-4956.patch
>
>
> Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
> For Example -
https://demo-trunk.ofbiz.apache.org/content/control/ViewSimpleContent?dataResourceId=GZ-DIG> Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
